How the ICO’s Accountability Framework could help your business
In September 2020 the UK’s Information Commissioner’s Office (ICO) published an Accountability Framework, aimed at helping organisations to recognise and deliver on their responsibilities under the GDPR.
Accountability is a bedrock of GDPR and a foundation of successful data protection and privacy programmes.
It makes organisations responsible and accountable for making sure they comply with the law and requires them to be able to demonstrate how they do this. It’s a topic which is increasingly woven throughout ICO guidance.
The framework is aimed at senior management, DPOs and those with responsibility for records management and information security. It is currently in what the ICO describes as a ‘beta phase’ and the intention is to enhance it over time in consultation with others.
So, how can this framework help your business?
The ten core areas of accountability
The new framework identifies ten important areas organisations are accountable for:
- Leadership and oversight
- Training and awareness
- Contracts and data sharing
- Records management and security
- Policies and procedures
- Individual’s rights
- Records of processing and the lawful bases for processing
- Risk management and Data Protection Impact Assessments
- Breach response and monitoring.
For each of these areas, the framework lays out the ICO’s expectations and provides practical ways in which you can meet the requirement. A good example is training and awareness.
The ICO expects organisations to have data protection and information governance training programme for all staff, including induction for new starters prior to accessing personal data and within one month of their start date. Also, refresher training should be provided at regular intervals. Specialised roles or functions with key data protection responsibilities should receive additional training and professional development (beyond the basic level)
Organisation should be able to demonstrate that staff understand the training, for example, through assessments or surveys. In addition, you should regularly raise organisational awareness of data protection, information governance and your data policies and procedures in meetings or staff forums and make it easy for staff to access the relevant material.
The self-assessment tool
A vital part of the Framework is the new self-assessment tool. This helps businesses to identify where they are, or are not, meeting their GDPR obligations. It invites you to assess your levels of compliance in the 10 core areas.
A report is generated which aims to help you:
- understand your current compliance levels and identify gaps;
- confirm the next steps you should take to improve accountability;
- communicate what support is needed from senior management to enhance compliance. For example, perhaps more training or resources are required?
- use an ‘accountability tracker’ to monitor how your compliance is progressing.
This could be a really useful tool for DPOs and privacy teams. It takes less than an hour to complete – which sounds to me like an hour well spent!
When working with our clients I often find they benefit from help both to recognise their data compliance gaps and then to scope out practical solutions. Any help from the ICO to support businesses down this road should be encouraged.
Fedelma Good, Director at PwC and DPN Advisory Board member, commented:
“I was delighted to see the ICO publish their Accountability Framework in September. Elizabeth Denham has consistently advised organisations to take stock of what data they process, and consider the risks that processing is creating.
She has emphasised that if a CEO or Chairman isn’t aware of all the finer detail of how an organisation complies with data protection, they should at least be aware of their corporate obligations around accountability. In her words “When neglected, accountability is a business risk like any other”.
“The publication of the Accountability Framework and the accompanying accountability self-assessment give the C-suite an opportunity to understand the key issues and reflect on the risks they may face in the way their organisation undertakes processing of personal data.”
Why launch it now?
Perhaps the timing of the launch might seem a bit off – as many businesses are focused primarily coping with the many impacts of the global COVID-19 pandemic.
Yes, businesses absolutely face very tough times. But I see the assessment tool in particular as a valuable enabler – helping you quickly work out where your weak points are so you can place your efforts where its most needed.
Think of it as helping your business to understand where it’s at with data protection, so you can focus efforts on what’s most important. I would argue if you complete the self-assessment, read the report and create and seek commitment to your action plan, this will form a key part of demonstrating proper accountability.
Ian Hulme, Director of Regulatory Assurance at the ICO, also commented:
“Data protection compliance is not one size fits all. Our framework has been designed to support organisations to identify the right steps and actions to improve their compliance. It should empower and enable you to embed accountability throughout your organisation.”
“Successfully embedding accountability will enhance your reputation as a business that can be trusted with personal data. The public are increasingly demanding to be shown how their data is being used and how it is being looked after. They want to know that their personal data is in safe hands, and that you have put in place mechanisms to protect their information.”
Help for small businesses too
The ICO reminds us that if you work for a smaller organisation you will most likely benefit from their existing resources, available on their SME hub.
For example, you should take a look at their assessment for small business owners and sole traders and you may want to try the data protection self-assessment toolkit.
Simon Blanchard, November 2020
If you would like help improving your business’s data protection programme and accountability, DPN can help. From delivering practical and engaging training through to helping with impact assessments, subject access requests or protecting against a data breach, please Get in Touch with us.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.