The ICO’s Accountability Framework – keeping data protection on your radar
The word ‘accountability’ is only mentioned three times in the GDPR. This may sound alarming, especially if you undertand the importance of accountability as a fundamental principle of the text and a key differentiator when compared to its predecessor – the Data Protection Directive. Despite the GDPR’s implementation more than two years ago, organisations are still challenged with understanding what accountability means and how to go about demonstrating it. Fortunately, the UK’s Information Commissioner’s Office (ICO) has sought to provide some much-needed clarity in this area through its recently published ‘Accountability Framework’.
Unlike the actual use of the word, ‘accountability’ as a concept is interwoven throughout the GDPR. It relates to an organisation’s approach to achieving compliance and its ability to demonstrate this on a continual basis. This is the important part to emphasise – data protection compliance is not a one-off exercise. As the ICO describes, it should be part of the culture and fabric of the organisation and underpin how the business pursues new initiatives, works with its vendors and communicates to its stakeholders. Of course, data protection compliance should not be your only priority – but it should definitely be on your radar.
The consequences of noncompliance can be particularly harsh. In Denmark for example, a company selling furniture and lifestyle products were fined approximately €200k for failing to demonstrate its data deletion procedures, ultimately resulting in the unlawful storage of personal information beyond what was necessary. Similarly, a consultancy in Greece were handed a fine of €150k for being unable to demonstrate to the Greek Data Protection Authority that it had carried out an assessment of the appropriate legal bases for processing employee personal data.
It is clear then, that achieving a defensible position in the eyes of the regulator is critical. But how do we go about demonstrating accountability? A simple entry on your risk register would not be sufficient. Likewise, ensuring you have training materials, policies and data flow maps tucked away in your ‘GDPR 2018’ subfolder would also be missing the point. As a general rule of thumb, you must be prepared at any time to evidence what you have been doing in the last six months should your Data Protection Authority suddenly come knocking. A pre-emptive approach rather than a reactive one is the key here.
Fortunately, one such Data Protection Authority, the UK’s ICO has provided a toolkit to help you achieve this. The ICO distils the core requirements needed to demonstrate accountability into ten areas. A brief description of what they are looking for is shown below:
Clearly, there is lots to do. The ICO’s own compliance tracker specifies 338 distinct actions for completion in order to fully meet their expectations. Of course, navigating these requirements in the face of competing priorities or limited resourcing and expertise can mean that demonstrating accountability is often a tricky exercise – particularly if you are a small or medium-sized enterprise. However, the benefits of instilling good data protection practices at a fundamental level can be significant and should not be ignored. Surveys have shown that consumers prefer privacy-conscious organisations and as people become more aware of their data rights, the need for organisations to be accountable and transparent will only increase.
If you require advice and support on how to comply with the ICO’s newly published Accountability Framework, please contact our Data Protection Team at Xcina Consulting. We provide practical and effective solutions to meet your needs and help you to achieve a robust and defensible position. Email firstname.lastname@example.org for more information.