On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO.

The Framework will help those within organisations who are responsible for implementing data protection compliance strategies.  The ICO envisages that organisations will use the Framework in conjunction with other relevant guidance and materials available from the ICO.  The ICO emphasises that each organisation must be mindful of its own circumstances when managing data protection risks, and that a “one size fits all” approach should not be adopted.

The Framework covers ten categories that organisations should consider when seeking to comply with the accountability principle:

  1. Leadership and Oversight
  • Data Protection Officers (“DPOs”) should perform their tasks independently, without conflict of interest. DPOs should not “take any direct operational decisions about the manner and purposes” of the processing of personal data within their organisation.
  • If an organisation considers that it is not required to appoint a DPO under the GDPR, it should record this decision and assign responsibility for data protection compliance across personnel and resources.
  • Organisations should monitor data protection and information governance activities through regular “oversight group” meetings, which relevant key personnel, including the DPO where appropriate, should attend.
  1. Policies and Procedures
  • Organisations should have appropriate and readily available policies in place that cover data protection, records management and information security.
  • Policies and procedures should reflect a “data protection by design and by default” approach and be updated without undue delay, where required.
  1. Training and Awareness
  • Organisations should train personnel comprehensively in data protection and information governance matters, including national and sector-specific requirements.
  • Organisations should provide induction and refresher training to their personnel regardless of length of tenure, contractual status or grade. The ICO encourages organisations to impose post-training testing in order to ensure that training is effective.
  • Organisations should gather and hold evidence of methods that they use to raise awareness of data protection and information governance matters (i.e., briefings, meetings, posters, blogs, etc.).
  1. Individuals’ Rights
  • Organisations should provide individuals with clear and relevant information about their rights in relation to their personal data. This information should explain to individuals how to exercise those rights and inform them that they have the right to make a complaint to the ICO.
  • Organisations should deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.
  • Organisations should produce regular performance reports and case quality assessments to ensure requests are handled appropriately.
  1. Transparency
  • Privacy notices must contain the information mandated under the GDPR.
  • Organisations should communicate this privacy information to individuals at the appropriate time in a user-friendly manner (i.e., using plain and age-appropriate language, layered notices, icons and smart device functionalities, etc.).
  • Organisations should maintain a historical log of privacy notices, including dates of changes to allow for convenient review of what information was provided to individuals, and when.
  1. Records of Processing and Lawful Basis
  • Organisations should carry out frequent data-mapping exercises to identify the personal data that they hold and relevant data flows.
  • Organisations should maintain formal and comprehensive records of processing of personal data, including their lawful basis for processing such data.
  • When relying on consent to process personal data, organisations should retain records of such consent (including what individuals were told at the time they provided consent and how they provided consent), with easy access, review and withdrawal of such consents, if required.
  1. Contracts and Data Sharing
  • Organisations should ensure that their data sharing agreements comply with the relevant GDPR requirements (e.g., in instances of joint controllership or controller-processor agreements), and maintain a log of data sharing arrangements.
  • Organisations should conduct appropriate initial due diligence checks on data processors to ensure that they meet GDPR requirements, and subsequently conduct routine checks to ensure compliance with contractual agreements.
  • When sharing personal data, organisations should pseudonymise or minimise such data wherever possible, and only share it for specific purposes.
  1. Risks and Data Protection Impact Assessments
  • Organisations should adopt a “data privacy by design and by default” approach to managing risks, and include data protection impact assessment (“DPIA”) requirements in policies and procedures
  • Organisations should have a standard, well-structured DPIA that is written in clear and simple language.
  • Organisations should manage/mitigate risks identified in a DPIA and have procedures in place to consult the ICO where this is not possible.
  1. Records Management and Security
  • Organisations should have policies and procedures in place to appropriately structure personal data records so as to effectively manage them, including maintaining a retention schedule outlining storage periods for all personal data.
  • Organisations should have appropriate methods for destroying personal data (i.e., shredding or incineration for paper documents, and wiping, degaussing or secure destruction for electronic devices) and should log all equipment and confidential waste sent for disposal or destruction.
  1. Breach Response and Monitoring
  • Organisations should have appropriate procedures in place to detect and manage a personal data breach, including to evaluate the likelihood and severity of a breach and to ensure that they make appropriate notifications to the ICO and, where necessary, individuals, within the required timeframes.
  • Organisations should use external auditors or external self-assessment tools, as appropriate, to provide assurances on data protection and information security compliance.

The Framework is still in its beta-phase and the ICO is providing organisations the chance to give feedback, particularly around “case studies or examples” that could be used to develop the Framework.  The window to provide feedback closes on 2 November 2020.

The team at Covington will continue to monitor developments.

Print:
EmailTweetLikeLinkedIn
Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.

Photo of Jonathan Benjamin Jonathan Benjamin

Jonathan Benjamin is an associate in the London office, working in the firm’s technology transactions team, advising technology and life sciences clients on the intersection between commercial matters and data privacy/security.

Mr. Benjamin’s practice covers a broad range of technology agreements including those…

Jonathan Benjamin is an associate in the London office, working in the firm’s technology transactions team, advising technology and life sciences clients on the intersection between commercial matters and data privacy/security.

Mr. Benjamin’s practice covers a broad range of technology agreements including those related to data sharing, data processing, outsourcing, and IT contracts. In addition, Mr. Benjamin advises on a range of regulatory matters under the GDPR.