The UK’s Information Commissioner’s Office (“ICO”) published earlier this month its Accountability Framework, available here. The Accountability Framework is designed to assist companies demonstrate compliance with their accountability obligation under the General Data Protection Regulation (“GDPR”) and assess whether their current measures meet the ICO’s expectations.
The Accountability Framework consists of ten categories where the ICO expects companies to be able to demonstrate compliance:
- Leadership and oversight;
- Training and awareness;
- Contracts and data sharing;
- Records management and security;
- Policies and procedures;
- Individuals’ rights;
- Records of processing and lawful basis;
- Risks and data protection impact assessments; and
- Breach response and monitoring.
The ICO’s key expectations are then detailed within each category, alongside a list of non-exhaustive practical examples on how companies can demonstrate accountability relating to each of them. Therefore, companies have flexibility as to how they implement these suggestions within their organizations. What is “key” is that the measures are “appropriate, risk-based and proportionate”.
To help companies even further, the ICO has also integrated a self-assessment tool in the Accountability Framework for companies to assess whether their internal procedures meet the ICO’s expectations in relation to accountability. The results of the self-assessment are not shared with the ICO. There is also an accountability tracker, which is available as an Excel workbook, where companies can record their current compliance status and outstanding actions offline.
While the ICO’s Accountability Framework is not intended to be a checklist, and each organization should consider appropriate measures to put in place based on their own operations, the ICO’s Accountability Framework offers a detailed insight into what the supervisory authority is seeking from companies, if they were ever to investigate them. Companies should therefore take note of the key expectations and consider appropriate measures to ensure compliance.
The Accountability Framework is currently in its “beta stage”, and the ICO is aiming to improve it following consultations with stakeholders. We will keep monitoring progress and provide further updates.