As the ICO closes its consultation on its new Accountability Framework this week, it’s never been a better time to consider how you can demonstrate data protection accountability in your organisation. The EU General Data Protection Regulation makes it quite clear that it’s not enough just to adhere to the key principles for processing personal data, but that you also need to be able to show how you are meeting these principles.
But what does that mean in practice? Well, the ICO provides a list of areas where it feels organisations should be demonstrating accountability.
- Ensuring you have clearly defined roles and accountability structures for implementing improvements to data protection practices within your organisation. This should be from Board level right down to individual staff members and incorporating specialist Data Protection roles where needed.
- Ensuring you have appropriate data protection policies, including those for effectively responding to individuals’ data subject requests, such as subject access requests, and for effectively managing data breaches. You should be able to evidence that these have been fully implemented within your organisation.
- Fully embedding data protection practices within your organisation by taking a ‘data protection by design and default’ approach. This means ensuring that your organisation considers how personal data should be managed before you start using this data and at all points after this, ensuring appropriate technical and organisational measures are in place to meet the data protection principles and individuals’ rights. The routine use of Data Protection Impact Assessments is one key way to ensure this is happening especially where use of this data could have a significant impact on individuals.
- Making sure you know what third parties are processing your personal data and ensuring that their obligations for protecting this information is covered in contracts/data processing agreements in line with the requirements detailed in the GDPR.
- Ensuring you have clearly documented all your uses of personal data – this may be in the form of an information asset register or a record of processing.
- Implementing appropriate technical security measures so that personal data held in your systems or shared electronically are protected.
In the future, organisations will have the opportunity to sign up to an agreed ICO certification scheme or code of conduct which will help evidence that some of these areas are being implemented, but these are still in development. However, other certifications already in place can help to demonstrate accountability including ISO 27001, CyberEssentials and other relevant compliance frameworks.
More information on accountability is available on the ICO website. If you would like the opportunity to explore accountability in more detail, the next Northern Information Governance Forum event in January is specifically focused on this topic area. Click here to find out more and book your place.