On 10 September 2020, the UK Information Commissioner’s Office (“ICO”) published its beta-phase “Accountability Framework” (“Framework”).  The Framework is designed to assist organisations, of any size and across all sectors, in complying with the accountability principle under the GDPR and in meeting the expectations of the ICO.

The Framework will help those within organisations who are responsible for implementing data protection compliance strategies.  The ICO envisages that organisations will use the Framework in conjunction with other relevant guidance and materials available from the ICO.  The ICO emphasises that each organisation must be mindful of its own circumstances when managing data protection risks, and that a “one size fits all” approach should not be adopted.

The Framework covers ten categories that organisations should consider when seeking to comply with the accountability principle:

  1. Leadership and Oversight
  • Data Protection Officers (“DPOs”) should perform their tasks independently, without conflict of interest. DPOs should not “take any direct operational decisions about the manner and purposes” of the processing of personal data within their organisation.
  • If an organisation considers that it is not required to appoint a DPO under the GDPR, it should record this decision and assign responsibility for data protection compliance across personnel and resources.
  • Organisations should monitor data protection and information governance activities through regular “oversight group” meetings, which relevant key personnel, including the DPO where appropriate, should attend.
  1. Policies and Procedures
  • Organisations should have appropriate and readily available policies in place that cover data protection, records management and information security.
  • Policies and procedures should reflect a “data protection by design and by default” approach and be updated without undue delay, where required.
  1. Training and Awareness
  • Organisations should train personnel comprehensively in data protection and information governance matters, including national and sector-specific requirements.
  • Organisations should provide induction and refresher training to their personnel regardless of length of tenure, contractual status or grade. The ICO encourages organisations to impose post-training testing in order to ensure that training is effective.
  • Organisations should gather and hold evidence of methods that they use to raise awareness of data protection and information governance matters (i.e., briefings, meetings, posters, blogs, etc.).
  1. Individuals’ Rights
  • Organisations should provide individuals with clear and relevant information about their rights in relation to their personal data. This information should explain to individuals how to exercise those rights and inform them that they have the right to make a complaint to the ICO.
  • Organisations should deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.
  • Organisations should produce regular performance reports and case quality assessments to ensure requests are handled appropriately.
  1. Transparency
  • Privacy notices must contain the information mandated under the GDPR.
  • Organisations should communicate this privacy information to individuals at the appropriate time in a user-friendly manner (i.e., using plain and age-appropriate language, layered notices, icons and smart device functionalities, etc.).
  • Organisations should maintain a historical log of privacy notices, including dates of changes to allow for convenient review of what information was provided to individuals, and when.
  1. Records of Processing and Lawful Basis
  • Organisations should carry out frequent data-mapping exercises to identify the personal data that they hold and relevant data flows.
  • Organisations should maintain formal and comprehensive records of processing of personal data, including their lawful basis for processing such data.
  • When relying on consent to process personal data, organisations should retain records of such consent (including what individuals were told at the time they provided consent and how they provided consent), with easy access, review and withdrawal of such consents, if required.
  1. Contracts and Data Sharing
  • Organisations should ensure that their data sharing agreements comply with the relevant GDPR requirements (e.g., in instances of joint controllership or controller-processor agreements), and maintain a log of data sharing arrangements.
  • Organisations should conduct appropriate initial due diligence checks on data processors to ensure that they meet GDPR requirements, and subsequently conduct routine checks to ensure compliance with contractual agreements.
  • When sharing personal data, organisations should pseudonymise or minimise such data wherever possible, and only share it for specific purposes.
  1. Risks and Data Protection Impact Assessments
  • Organisations should adopt a “data privacy by design and by default” approach to managing risks, and include data protection impact assessment (“DPIA”) requirements in policies and procedures
  • Organisations should have a standard, well-structured DPIA that is written in clear and simple language.
  • Organisations should manage/mitigate risks identified in a DPIA and have procedures in place to consult the ICO where this is not possible.
  1. Records Management and Security
  • Organisations should have policies and procedures in place to appropriately structure personal data records so as to effectively manage them, including maintaining a retention schedule outlining storage periods for all personal data.
  • Organisations should have appropriate methods for destroying personal data (i.e., shredding or incineration for paper documents, and wiping, degaussing or secure destruction for electronic devices) and should log all equipment and confidential waste sent for disposal or destruction.
  1. Breach Response and Monitoring
  • Organisations should have appropriate procedures in place to detect and manage a personal data breach, including to evaluate the likelihood and severity of a breach and to ensure that they make appropriate notifications to the ICO and, where necessary, individuals, within the required timeframes.
  • Organisations should use external auditors or external self-assessment tools, as appropriate, to provide assurances on data protection and information security compliance.

The Framework is still in its beta-phase and the ICO is providing organisations the chance to give feedback, particularly around “case studies or examples” that could be used to develop the Framework.  The window to provide feedback closes on 2 November 2020.

The team at Covington will continue to monitor developments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.