On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO.

The Framework will help those within organisations who are responsible for implementing data protection compliance strategies.  The ICO envisages that organisations will use the Framework in conjunction with other relevant guidance and materials available from the ICO.  The ICO emphasises that each organisation must be mindful of its own circumstances when managing data protection risks, and that a “one size fits all” approach should not be adopted.

The Framework covers ten categories that organisations should consider when seeking to comply with the accountability principle:

  1. Leadership and Oversight
  • Data Protection Officers (“DPOs”) should perform their tasks independently, without conflict of interest. DPOs should not “take any direct operational decisions about the manner and purposes” of the processing of personal data within their organisation.
  • If an organisation considers that it is not required to appoint a DPO under the GDPR, it should record this decision and assign responsibility for data protection compliance across personnel and resources.
  • Organisations should monitor data protection and information governance activities through regular “oversight group” meetings, which relevant key personnel, including the DPO where appropriate, should attend.
  1. Policies and Procedures
  • Organisations should have appropriate and readily available policies in place that cover data protection, records management and information security.
  • Policies and procedures should reflect a “data protection by design and by default” approach and be updated without undue delay, where required.
  1. Training and Awareness
  • Organisations should train personnel comprehensively in data protection and information governance matters, including national and sector-specific requirements.
  • Organisations should provide induction and refresher training to their personnel regardless of length of tenure, contractual status or grade. The ICO encourages organisations to impose post-training testing in order to ensure that training is effective.
  • Organisations should gather and hold evidence of methods that they use to raise awareness of data protection and information governance matters (i.e., briefings, meetings, posters, blogs, etc.).
  1. Individuals’ Rights
  • Organisations should provide individuals with clear and relevant information about their rights in relation to their personal data. This information should explain to individuals how to exercise those rights and inform them that they have the right to make a complaint to the ICO.
  • Organisations should deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.
  • Organisations should produce regular performance reports and case quality assessments to ensure requests are handled appropriately.
  1. Transparency
  • Privacy notices must contain the information mandated under the GDPR.
  • Organisations should communicate this privacy information to individuals at the appropriate time in a user-friendly manner (i.e., using plain and age-appropriate language, layered notices, icons and smart device functionalities, etc.).
  • Organisations should maintain a historical log of privacy notices, including dates of changes to allow for convenient review of what information was provided to individuals, and when.
  1. Records of Processing and Lawful Basis
  • Organisations should carry out frequent data-mapping exercises to identify the personal data that they hold and relevant data flows.
  • Organisations should maintain formal and comprehensive records of processing of personal data, including their lawful basis for processing such data.
  • When relying on consent to process personal data, organisations should retain records of such consent (including what individuals were told at the time they provided consent and how they provided consent), with easy access, review and withdrawal of such consents, if required.
  1. Contracts and Data Sharing
  • Organisations should ensure that their data sharing agreements comply with the relevant GDPR requirements (e.g., in instances of joint controllership or controller-processor agreements), and maintain a log of data sharing arrangements.
  • Organisations should conduct appropriate initial due diligence checks on data processors to ensure that they meet GDPR requirements, and subsequently conduct routine checks to ensure compliance with contractual agreements.
  • When sharing personal data, organisations should pseudonymise or minimise such data wherever possible, and only share it for specific purposes.
  1. Risks and Data Protection Impact Assessments
  • Organisations should adopt a “data privacy by design and by default” approach to managing risks, and include data protection impact assessment (“DPIA”) requirements in policies and procedures
  • Organisations should have a standard, well-structured DPIA that is written in clear and simple language.
  • Organisations should manage/mitigate risks identified in a DPIA and have procedures in place to consult the ICO where this is not possible.
  1. Records Management and Security
  • Organisations should have policies and procedures in place to appropriately structure personal data records so as to effectively manage them, including maintaining a retention schedule outlining storage periods for all personal data.
  • Organisations should have appropriate methods for destroying personal data (i.e., shredding or incineration for paper documents, and wiping, degaussing or secure destruction for electronic devices) and should log all equipment and confidential waste sent for disposal or destruction.
  1. Breach Response and Monitoring
  • Organisations should have appropriate procedures in place to detect and manage a personal data breach, including to evaluate the likelihood and severity of a breach and to ensure that they make appropriate notifications to the ICO and, where necessary, individuals, within the required timeframes.
  • Organisations should use external auditors or external self-assessment tools, as appropriate, to provide assurances on data protection and information security compliance.

The Framework is still in its beta-phase and the ICO is providing organisations the chance to give feedback, particularly around “case studies or examples” that could be used to develop the Framework.  The window to provide feedback closes on 2 November 2020.

The team at Covington will continue to monitor developments.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.