Part 3: Transparency

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.


Keeping your customers informed

Businesses have a legal and moral obligation to the public to always be honest, clear and open when it comes to the storage, management and usage of private information. Transparency is an important data protection principle, and crucial to businesses when adopting a ‘data protection by design and by default’ approach. It facilitates the building of trust and demonstrates respect towards people’s personal data. By allowing them to review the content for accuracy and edit if necessary, you are giving them more control and greater freedom to exercise their rights as an individual.

Its all about trust

Being proactive in respecting people’s privacy can also put your company ahead of the competition by further inspiring the confidence of the public, regulators and business partners.

Follow the guidelines

The ICO’s framework offers clear and comprehensive instructions for what this should look like in practice. First and foremost, your organisation’s privacy information or notice must include all the required information under Article 13 and 14 of the GDPR.

Clarity is Key

Your organisation must provide privacy information that is clear, concise and intelligible. Be sure to use plain language, avoid jargon and communicate the information in a way that is suitable for the intended audience. It must be easily accessible, clearly visible and in the appropriate format.

You will also need to have a recorded procedure in place to ensure that individuals receive privacy information at the correct time unless an exemption applies in their case.

Stay organised

Every member of staff should receive training on data protection practices, and you must record this to provide evidence.

You must keep a log of all historical privacy notices and ensure that it is appropriately maintained, so it must include a date stamp of any changes made.

If your company plans to use collected personal data for a new purpose, then you must inform the individual of any changes before commencing the new process.

Always be candid with your clients

If your organisation relies on an automated decision and has legal or similarly significant effects, you must tell individuals about the processing. Be sure to include what information you are using, why you are using it and what the impact is likely to be. Procedures should be in place to enable individuals to exercise their rights, including obtaining human intervention, expressing their point of view and contesting the decision.

For a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. In January, we’ll be taking a closer look at Contacts & Data Sharing. You can also read our other blogs in the series on Leadership & Oversight, and Training & Awareness.

If you require any further help, guidance, information or clarification, you can contact CVG Solutions at, or call us on 01775 660-506. You can also Sign Up to our communication plan for updates and tips, so that you don’t miss out on future entries of our Guide to the ICO Accountability Framework blog series.  Additionally, you can fill out a digital self-assessment form on the ICO website, here Accountability framework self-assessment | ICO

CVG Membership

As a brand-new addition to CVG Solutions, we launched a membership option last month to cover all your training needs. The membership is packed with goodies specially designed to bring you the most value

  • 8+1 modules of live and recorded training material
  • Access to the ‘Ask the Expert’ Forum enabling you to access our expertise
  • Shared Learning with other members
  • And Consultations slots with our experts

if you would like to know more and how to apply please email us at with ‘membership’ in the title.

You might find the following questions useful to help you assess if you have your base covered.

  1. Are individuals provided with clear information about the source of personal data, if you don’t obtain it from the individual concerned?
  2. Would customers say you proactively made them aware of privacy information?
  3. Do your staff understand when and how a Privacy Notice should be provided?
  4. Did you use an appropriate form of communication?
  5. Was the Privacy Notice easy to understand?
  6. Would individuals say that you explained the processing to them in a meaningful way that helped them to exercise their rights?
  7. Is it easy for them to access the personal data you used to create profiles?
  8. Is there an effective review process?
  9. Do your staff understand what privacy information is and what must be provided?
  10. Would your staff say that your policies are clear, easy to find and access?

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.