The ICO has been running a consultation on the introduction of an Accountability Toolkit to help businesses test their compliance with the accountability principle under the GDPR; and to demonstrate this to the ICO and their customers/clients. The ICO expects to publish a finalised Accountability Toolkit in 2020.
Article 5(2) of the GDPR introduces a new accountability principle, requiring data controllers to demonstrate that they are in fact complying with their obligations under the GDPR (two examples are: not processing data for other purposes than those initially specified; and data minimisation).
2. The Toolkit
The consultation document (available here) include high-level questions but doesn’t at this stage contain a draft of the entire accountability toolkit. The aim of the toolkit is not to provide an exhaustive checklist, but to act as a prompt for organisations to take responsibility for designing their own accountability framework.
The management structures section sets out a series of expectations, together with indicators of effectiveness. For example, one expectation is: “Expectation 5. Information management group. There is a management group in your organisation responsible for the oversight of data protection and information governance.” There are then 6 indicators, e.g. “There are terms of reference in place outlining the aims of the group and records of meeting minutes including actions to be made that are documented upon completion.”
This structure allows a measure of flexibility as you don’t necessarily need to tick off every indicator if you achieve the expectation in a different manner.
3. Who does this apply to?
Almost every business is a data controller in at least some respects and so the ICO’s drive for greater accountability will have wide applicability. While the Accountability Toolkit itself may not be mandatory, businesses will need to be able to demonstrate accountability in one way or another.
4. How or why does this apply to me?
Once the toolkit has been finalised and implemented in 2020, best practice for data controllers will be to use and adapt the Accountability Toolkit.
5. What should my business be doing now?
Consider the measures, processes and record keeping that you have in place already, so that your business is well positioned to make use of the Accountability Toolkit.
Typical measures for ensuring compliance and accountability include:
- implementing data protection policies;
- a “data protection by design and default” approach;
- putting written contracts in place with your data processors;
- documenting your processing activities;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments in advance of any uses of personal data that are likely to result in high risk to individuals’ interests;
- considering whether to appoint a data protection officer; and
- adhering to relevant codes of conduct or signing up to certification schemes.
6. What happens next?
The consultation closed on 9 December 2019 and the ICO is expected to publish the findings from its consultation in early 2020. We would expect the Accountability Toolkit to be live in Q2 or Q3 of 2020.
7. How can we help you with accountability?
We have experience in helping businesses with all aspects of the GDPR. We tailor support based on a client’s own capabilities and resources. We can provide support with drafting policies, advising internal management teams and supporting in related contract drafting and negotiation. We also support clients involved in data and cyber breaches.
8. How do you get in touch with us for more help on this?
For more information or advice, please contact Rebecca Steer firstname.lastname@example.org.