Being presented with a list of expectations and ways to meet those expectations by someone you’re in a relationship with isn’t generally considered endearing. But the Information Commissioner’s done just that with her newly launched Accountability Framework, and many organisations she regulates might grow to love her for it.
The accountability principle introduced by the GDPR is no longer a stranger to most. But, with cards on the table, many organisations will admit to fumbling around in the dark these last couple of years or so, struggling to work out what will please if ever her officers come knocking. The trade-off for the flexibility that principles-based regulation offers to regulators who are constantly playing catch-up with tech is usually more uncertainty for the regulated. And that’s no truer than of the GDPR.
So when it comes to accountability, many organisations have been asking the same question: beyond the obvious such as policies, records of processing and training, how on earth do I show that I’m compliant?
Well, Ms Denham seemingly has the answer. Based on her Office’s experiences, she’s developed an Accountability Framework. It’s still in beta, so very much a work in process. Divided into 10 categories, each category lists the Information Commissioner’s expectations and ways to meet them. Here are the categories:
- Leadership and oversight
- Policies and procedures
- Training and awareness
- Individuals’ rights
- Transparency
- Records of processing and lawful basis
- Contracts and data sharing
- Risks and data protection impact assessments
- Records management and security
- Breach response and monitoring
If you love a good spreadsheet, you’ll be handsomely rewarded for visiting the Accountability Framework section of the ICO website – there’s an accountability tracker which, in glorious technicolour, separates the 10 categories into a rainbow of tabs and then breaks them down into bite-size rows of key expectations and ways to meet them. Since we're reminded that accountability isn't a box-ticking exercise, there are drop down options to select instead.
The ICO suggests that you can use the framework in a number of different ways. Coupling the tracker with a structured programme like Lewis Silkin’s GDPR Health Assessment, not just to identify any compliance gaps but also to remediate them, seems to us like a winning combination (but then we would say that).
Of course, with her website's analytics cookies now off by default, the Information Commissioner won’t be able to gauge the framework’s popularity the way she once might have. But by highlighting the 10 things she hates about organisations’ data protection compliance in this way, her Office is clearly seeking to appeal to their hearts. And why not? After all, it worked in the 90’s rom-com.
Today we’ve launched a practical tool to help organisations manage their approach to privacy and to understand what good accountability looks like.