Getting to grips with Accountability

July 2021

Accountability is a key principle underpinning GDPR and has become the foundation of successful data protection and privacy programmes. It can though be difficult to know where to start and how to keep up the momentum.

Luckily the ICO has developed what I think is a great tool, and it’s just been updated it to make it even more user friendly.

The Accountability Framework can really help DPOs and privacy teams. It takes less than an hour to complete – which sounds to me like an hour well spent!

When working with our clients I often find they benefit from help both to recognise their data compliance gaps and then to scope out practical solutions. Any help from the ICO to support businesses down this road should be encouraged.

The Framework focuses on helping you to assess the effectiveness of the measures you have in place to protect personal data, understand where your weaknesses lie and gain clarity on the areas you need to improve.

It’s aimed at senior management, DPOs and those with responsibility for records management and information security.

Ten core areas of accountability

The Framework identifies ten important areas organisations are accountable for.

1. Leadership and oversight
2. Policies and procedures
3. Training and awareness
4. Individual’s rights
5. Transparency
6. Records of processing and lawful basis
7. Contracts and data sharing
8. Risks and data protection impact assessments
9. Records management and security
10. Breach response and monitoring.

Self-assessment tool and tracker

A vital part of the Framework is the self-assessment tool. It enables you to assess your level of compliance in each of the 10 core areas above.
For each area the Framework lays out the ICO’s expectations and asks you to rate how your organisation performs against key measures.

At the end you receive a report which grades your organisation’s performance on each area and helps you to:

  • understand your current compliance levels
  • identify gaps in your privacy programme
  • confirm the next steps you should take to improve accountability
  • communicate what support is needed from senior management to enhance compliance

If you want to go further, you can use the accountability tracker (provided in Excel) to record more detail and create an action plan so you can your track progress over time.

You may also find this useful when you provide management information, e.g. to your Board and/or to other stakeholders.

Improvements to the Framework

After listening to feedback, the ICO has made changes to:

  • improve the Framework’s layout. For example the 10 core topic areas have changed since the original version, making it easier to navigate
  • adjustments to the Accountability Tracker, so it complements people’s existing working practices

An example: training and awareness

The Framework provides practical ways in which you can meet the legal requirements. ‘Training and awareness’ is a great example.

The ICO expects organisations to provide appropriate data protection and information governance training for staff, including induction for new starters prior to accessing personal data and within one month of their start date.

The training must be relevant, accurate and up to date. Refresher training should be provided at regular intervals.

Specialised roles or functions with key data protection responsibilities should receive additional training and professional development, beyond the basic level.

Organisation should be able to demonstrate that staff understand the training, for example, through assessments or surveys.

In addition, you should regularly raise organisational awareness of data protection, information governance and your data policies and procedures in meetings or staff forums and make it easy for staff to access the relevant material.

What next?

The ICO tells us the next steps for the Framework include adding real life case studies which aim to illustrate the innovative ways organisations can demonstrate their accountability.

They also plan to run online workshops to look at how they can adapt and improve the self-assessment tool to better meet business needs. You can register your interest here.

Help for small businesses too

The ICO reminds us that if you work for a smaller organisation you will most likely benefit from their existing resources, available on their SME hub.

For example, you should take a look at their assessment for small business owners and sole traders and you may want to try the data protection self-assessment toolkit. ICO Accountability Framework 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.