A guide to Accountability, according to the ICO.‘Accountability’ is one of the 7 Principles under the GDPR (General Data Protection Regulation), but various organisations offer differing perspectives on what accountability actually means and how to demonstrate it appropriately. With so much conflicting information and widespread speculation over its definitive meaning, there has been an increase in public demand for transparency on the use and storage of personal data. More specifically, is it in safe hands and are the right protocols and mechanisms in place to keep personal information protected?
As a means of providing some clarity, and to ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.
The ICO has highlighted the following 10 categories that an organisation of any size must have to demonstrate accountability:
- Leadership and oversight
- Training and awareness
- Contacts and data sharing
- Records management and security
- Policies and procedures
- Individual’s rights
- Records of processing and lawful basis
- Risks and data protection impact assessments
- Breach response and monitoring
Over the next ten months, we’ll be guiding you through the categories, taking a closer look at the importance of each aspect and how to adhere to them.
- Leadership & Oversight
One of the most fundamental components at the core of accountability is strong leadership. Senior management and members of the board are ultimately accountable and should lead by example to encourage a proactive and positive approach to data protection. All staff members must have clearly defined responsibilities for data protection-related activities, at both a strategic and an operational level. But it’s important to understand that data protection is a shared responsibility amongst all employees.
There are several necessary factors for any company to ensure they are effectively demonstrating accountability. For starters, there should be clearly established policies that set the organisational structure, so everyone understands who reports to whom. This helps to maintain individual ownership and accountability, and reduces the likelihood of miscommunication.
To keep things running smoothly at all times, staff must understand their responsibilities, so each role and specific job description must be documented and reviewed regularly. Additionally, any training and skills requirements are to be recorded in the job descriptions.
Like everything in business, clarity is essential, so the reporting lines must be clear, always. Fostering positive working relationships and open communication between staff is very important. It facilitates the free-flow of information amongst team members and separate departments. Staff should effectively manage records and securely store data at all times.
Another factor is whether you are required to appoint a DPO, or whether you have chosen to do so voluntarily, and why. The DPO plays a vital role in proceedings, with specific responsibilities for data protection compliance, raising awareness, training and audits. They must have an intimate knowledge of the appropriate laws, policies and practices. All staff must know who the DPO is, what the role entails and how to contact them. If your organisation is not required to appoint a DPO, you should appropriately assign responsibility for data protection compliance in accordance with the law.
Regular leadership meetings should be held and chaired by a senior staff member, such as the DPO, MD or SIRO (Senior Information Risk Owner). Every meeting should have a clearly defined agenda with meeting minutes, where actions and decisions are captured, including actions ownership and target dates. Standard agenda items should include, but not be limited to:
- Data Protection
As a result of these meetings, the team can strategise and formulate a work or action plan that is monitored regularly.
Check back for monthly updates and information regarding the ICO Accountability Framework. In November we’ll be taking a closer look at Training & Awareness.
If you require any further help, guidance, information or clarification, you can contact