A new framework has now been published by the UK Information Commissioner’s Office (ICO) & can help organisations comply with the GDPR’s accountability requirements.
Merely having the tools in place to mitigate data loss are deemed as insufficient.
In the EU, under the data protection law in place, the General Data Protection Regulation, organisations have to demonstrate accountability i.e. proof that they’ve put the required technical and organisational measures in place; a way to validate that what’s in place is effective.
Also, in the EU, accountability in relation to data protection ultimately comes from Article 5(2) of the GDPR, which states that “The controller shall be responsible for, & be able to demonstrate compliance with, paragraph 1- the other data protection principles.”
To help organisations make sure they’re complying with their accountability obligations under GDPR, the UK Information Commissioner’s Office (ICO) published an Accountability Framework last week.
The framework, released Sept. 9, is aimed in instructing organisations what they need to do & how to improve their compliance.
This framework has 10 categories that organisations can use to examine accountability:
- Leadership & oversight
- Policies & procedures
- Training & awareness
- Individuals’ rights
- Records of processing & lawful basis
- Contracts & data sharing
- Risks & data protection impact assessments
- Records management & security
- Breach response & monitoring
Sifting through each category brings users to a checklist, explaining why each is important & detailing steps to take to ensure categories are met.
For example, clicking through the transparency category briefs users on what transparency in data protection means, that it’s especially paramount if the information you’re processing relates to a child, & that privacy can act as a competitive advantage. If you protect an individual’s data, it creates confidence in you from the public, regulators, & business partners.
That section of the framework also looks into what the ICO expects of organisations as relating to transparency i.e. privacy notice content, privacy information, & tools supporting transparency & control.
Data Protection Officer
More examples of data protection accountability measures include adopting & implementing data protection policies, maintaining documentation of processing activities, recording & reporting personal data breaches, & ensuring organisations have a Data Protection Officer appointed.
With increased scrutiny being given to how companies are handling consumer data, not to mention a flurry of data privacy legislation, it could be the perfect time for the framework.
“Successfully embedding accountability will enhance your reputation as a business that can be trusted with personal data,” Ian Hulme, the ICO’s Director of Regulatory Assurance said commenting on the framework last week,
“The public are increasingly demanding to be shown how their data is being used & how it is being looked after. They want to know that their personal data is in safe hands, & that you have put in place mechanisms to protect their information.”
This Accountability Framework is technically still in its ‘beta phase,’ but it could be useful to organisations in the EU looking to be more aware of accountability requirements. The ICO is inviting comment on the framework’s current form , i.e. whether it meet the needs of organisations & what can be improved, until Nov. 2
The ICO occasionally releases steps concerning data protection best practices. The office has released a list of best practice for small organisations just starting, that stressed the importance of knowing why you’re holding or collecting people’s data, ensuring there’s security measures in place, & the importance of transparency.