On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”). The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO.
The Framework will help those within organisations who are responsible for implementing data protection compliance strategies. The ICO envisages that organisations will use the Framework in conjunction with other relevant guidance and materials available from the ICO. The ICO emphasises that each organisation must be mindful of its own circumstances when managing data protection risks, and that a “one size fits all” approach should not be adopted.
The Framework covers ten categories that organisations should consider when seeking to comply with the accountability principle:
- Leadership and Oversight
- Data Protection Officers (“DPOs”) should perform their tasks independently, without conflict of interest. DPOs should not “take any direct operational decisions about the manner and purposes” of the processing of personal data within their organisation.
- If an organisation considers that it is not required to appoint a DPO under the GDPR, it should record this decision and assign responsibility for data protection compliance across personnel and resources.
- Organisations should monitor data protection and information governance activities through regular “oversight group” meetings, which relevant key personnel, including the DPO where appropriate, should attend.
- Policies and Procedures
- Organisations should have appropriate and readily available policies in place that cover data protection, records management and information security.
- Policies and procedures should reflect a “data protection by design and by default” approach and be updated without undue delay, where required.
- Training and Awareness
- Organisations should train personnel comprehensively in data protection and information governance matters, including national and sector-specific requirements.
- Organisations should provide induction and refresher training to their personnel regardless of length of tenure, contractual status or grade. The ICO encourages organisations to impose post-training testing in order to ensure that training is effective.
- Organisations should gather and hold evidence of methods that they use to raise awareness of data protection and information governance matters (i.e., briefings, meetings, posters, blogs, etc.).
- Individuals’ Rights
- Organisations should provide individuals with clear and relevant information about their rights in relation to their personal data. This information should explain to individuals how to exercise those rights and inform them that they have the right to make a complaint to the ICO.
- Organisations should deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.
- Organisations should produce regular performance reports and case quality assessments to ensure requests are handled appropriately.
- Privacy notices must contain the information mandated under the GDPR.
- Organisations should communicate this privacy information to individuals at the appropriate time in a user-friendly manner (i.e., using plain and age-appropriate language, layered notices, icons and smart device functionalities, etc.).
- Organisations should maintain a historical log of privacy notices, including dates of changes to allow for convenient review of what information was provided to individuals, and when.
- Records of Processing and Lawful Basis
- Organisations should carry out frequent data-mapping exercises to identify the personal data that they hold and relevant data flows.
- Organisations should maintain formal and comprehensive records of processing of personal data, including their lawful basis for processing such data.
- When relying on consent to process personal data, organisations should retain records of such consent (including what individuals were told at the time they provided consent and how they provided consent), with easy access, review and withdrawal of such consents, if required.
- Contracts and Data Sharing
- Organisations should ensure that their data sharing agreements comply with the relevant GDPR requirements (e.g., in instances of joint controllership or controller-processor agreements), and maintain a log of data sharing arrangements.
- Organisations should conduct appropriate initial due diligence checks on data processors to ensure that they meet GDPR requirements, and subsequently conduct routine checks to ensure compliance with contractual agreements.
- When sharing personal data, organisations should pseudonymise or minimise such data wherever possible, and only share it for specific purposes.
- Risks and Data Protection Impact Assessments
- Organisations should adopt a “data privacy by design and by default” approach to managing risks, and include data protection impact assessment (“DPIA”) requirements in policies and procedures
- Organisations should have a standard, well-structured DPIA that is written in clear and simple language.
- Organisations should manage/mitigate risks identified in a DPIA and have procedures in place to consult the ICO where this is not possible.
- Records Management and Security
- Organisations should have policies and procedures in place to appropriately structure personal data records so as to effectively manage them, including maintaining a retention schedule outlining storage periods for all personal data.
- Organisations should have appropriate methods for destroying personal data (i.e., shredding or incineration for paper documents, and wiping, degaussing or secure destruction for electronic devices) and should log all equipment and confidential waste sent for disposal or destruction.
- Breach Response and Monitoring
- Organisations should have appropriate procedures in place to detect and manage a personal data breach, including to evaluate the likelihood and severity of a breach and to ensure that they make appropriate notifications to the ICO and, where necessary, individuals, within the required timeframes.
- Organisations should use external auditors or external self-assessment tools, as appropriate, to provide assurances on data protection and information security compliance.
The Framework is still in its beta-phase and the ICO is providing organisations the chance to give feedback, particularly around “case studies or examples” that could be used to develop the Framework. The window to provide feedback closes on 2 November 2020.
The team at Covington will continue to monitor developments.