As we all know, the controller should be behind the wheel regarding its processing operations. As follows from article 5(2) of the GDPR, the controller “shall be responsible for, and be able to demonstrate compliance with” all the (other) data processing principles. Privacy professionals call this the accountability principle.
In theory and practice, the accountability principle and the others are quite the opposite of simple. They do not lay down clear and straightforward rules that can be followed; instead, controllers must seek clarity by following authorities’ guidelines and courts’ rulings.
Luckily for the privacy community, helpful guidance is being developed by authorities to help us understand and translate the accountability principle into actionable items. One good example is the Accountability Framework constructed by the UK’s ICO. They created it to simplify for organisations to demonstrate compliance with the UK GDPR and set high standards in any privacy program.
The ICO says that the framework can be used in multiple ways, for example, to create a comprehensive privacy management program; assess your existing practices against their expectations; as a way to demonstrate compliance; record, track, and report on progress; increase senior management engagement and privacy awareness across your organisation. The framework’s overall perk is surely that it could be used as a benchmark for your organisation. That leads us, of course, to the question of what is the framework, and what are the components.
I’ll begin to explain the framework in numbers. It is divided into ten different categories, but at the framework’s core, there are 78 of the ICO’s expectations and 338 examples of actions of how to live up to them. These 338 actions are undeniably the framework’s most important part. The method is as follows: For each action, you set a current status and the reason for the status, as well as any planned actions that you will take to align yourself with their expectations. Pretty simple, right?
Let me do an example! For data mapping, they expect that your organisation frequently carries out comprehensive data mapping exercises, providing a clear understanding of what information is held and where. There are three linked actions to meet this expectation; firstly, you carry out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation. Secondly, you keep the data map up-to-date and clearly assign responsibilities for maintaining and amending it. Lastly, you consult staff across your organisation to ensure an accurate picture of the processing activities.
To start working with the expectation, set a current status for each way, i.e., fully, partly, not meeting the expectation (or in some instances, it isn’t applicable), and then explain why that level was set. For example, we are partly compliant with keeping the data up-to-date, since we haven’t assigned responsibilities for maintaining and amending the data map to anyone. The reason is that we don’t have enough time and can’t allocate additional resources for data mapping, so the action is rejected for now.
We believe that the ICO’s framework is great for your privacy toolbox and your data protection team. We like it so much that we included it in DPOrganizer’s new feature, the Requirements Tracker.
The Requirements Tracker is a smoother way to keep track of all your obligations in one place. We have designed it so you can have external and internal frameworks broken down into actionable requirements. The library contains frameworks such as the ICO’s accountability framework, as well as the EU GDPR and the UK GDPR. Naturally, every framework is customizable, and you can create your own frameworks and standards and track the progress.
You can categorize, describe the requirements, and add guidance, documentation and external links. And to show accountability, there is a handy activity log to document actions over time. We know managing a privacy program and showing your improvements to management is demanding. Therefore, the Requirements Tracker has an overview tab to visualize the compliance levels and compliance history.
Now, you will have a place to align your team for prioritizing and planning your ongoing and future compliance work. More time for action and better results!
The team and I, who have been working on the project for some time, can’t wait for it to get into the hands of even more privacy professionals. Don’t hesitate to reach out to me at firstname.lastname@example.org or any other team member in DPOrganizer to learn more about this fantastic new feature.