Accountability: How the ICO sees it
Locations
The word accountability gets a single mention in the General Data Protection Regulation (2016/679) ("GDPR") but you should not underestimate the importance of this sole citation.
Ultimately, accountability underpins and overarches the entire GDPR. We have previously written about what accountability means in data protection, how its importance is gaining traction and how it enables you to evidence your compliance with the GDPR and beyond to other global data protection laws with which you need to comply. Today, the subject of accountability has received further attention with the launch of the Information Commissioner's Office's ("ICO") own accountability framework (the "ICO's framework").
An accountability framework enables companies to have an overview of all their compliance obligations by subject matter or theme, such as data subject rights. Each category within an accountability framework breaks down to provide further details about what is required to demonstrate compliance and will include some active measures to evidence how the company is in practice meeting its obligations. For example, a company will reference where it stores and how it communicates its data handling procedure and in addition will be able to demonstrate to a regulator, business partner or customer how it actively manages data subject access requests (DSAR) and other data rights requests. With a DSAR, everyone within the company would know where to forward one upon receipt, if they were not the relevant person who deals with them; there would be a record to demonstrate when it was received; when it was responded to; and a copy of the documents that were disclosed would be available.
What an accountability framework is not is a checklist. Accountability by its essence is the ability "to be able to demonstrate compliance". Can you show how you or an external third party actively audit your data protection strategy and that it includes a programme of continuous improvement to address the constant state of flux of data protection today? Do you have key performance indicators against which you monitor your data protection practices? Are the number of data incidents you record (although do not need to report) reducing? What lessons are learnt and put in place when employees trained and familiar with how to handle personal data mistakenly put addressees in the "To" or "Cc" field meant for "Bcc"? It can and does happen, even to the best of us! How you mitigate against and prevent future occurrences, following such a data incident, is at the crux of accountability.
The ICO's framework is by no means the first such framework available nor is this framework the only way in which to demonstrate your compliance. In fact, there is no prescribed way in which to be accountable for data protection under the GDPR. What is interesting though about the ICO's framework is that for the first time a regulator has provided a comprehensive oversight of what they will be looking for when they investigate companies and organisations.
Largely sector and size of organisation agnostic, the ICO's framework illustrates how central accountability is to all collecting and processing personal data. Accountability strictly speaking is a legal requirement for data controllers (Articles 5 and 24, GDPR) but data processors are not exactly exempt: witness, for example, the record-keeping obligations and DPO requirements that apply to processors as much as they do to controllers. Data processors therefore may want to consider how they would demonstrate their accountability, including with respect to their obligations under Article 28 and particularly when they appoint a subprocessor.
There are ten categories in the ICO's framework, all of which are broken down further to a series of expectations the ICO has about how each category should be complied with, followed by additional detail about ways in which those expectations can be met. It may be that your accountability framework uses half the number of categories but nonetheless broadly encapsulates everything the ICO's framework does. Be sure that your accountability framework takes into account the latest guidance from both the EDPB and the regulator itself, the latest enforcement action and the effect of court judgments. You can achieve and maintain accountability in a multitude of ways. It is interesting to note how data protection by design and by default interweaves throughout the ICO's framework, perhaps reflecting how the concept itself is continuous for the entire lifecycle of a product, from the outset to discontinuance and deletion.
The importance which companies give data protection varies immensely across an extensive spectrum. Often there are companies who genuinely would like to do more but budget priority is elsewhere. Within the ICO's framework there is the ability to perform an accountability self assessment. There is also an accountability tracker in Excel, which you can download and amend offline. This tracker offers in depth detail of the ICO's accountability requirements per category; enables you to record your current status in meeting a particular expectation, give the action an owner and hold that person(s) to account with a completion date. These tools will prove useful in helping those working in data protection to argue their case for additional support, financial or otherwise, and assist them to identify what areas would be most beneficial for their company to address first.
Accountability receives a significant amount of coverage in the ICO's guidance on AI and data protection and there is extensive detail on how to be able to demonstrate your compliance, in particular with the inherent risks of AI. This piece of guidance makes explicit reference to how it will be updated following the publication of the ICO's framework. The ICO's framework therefore provides a baseline for accountability in general, which can then be added to when more specialist areas, such as AI, require it. Similarly, the ICO's Age Appropriate Design Code, now in force and effective from 2 September 2021 has its own section on accountability and governance.
This iteration of the ICO's framework, like the work of accountability itself, will not stand still. Overtime it will be developed and amended as data protection continues to change. The ICO is keen to engage with stakeholders who wish to attend future consultations and to hear feedback on it framework, a survey on which is open until 2 November 2020.
The launch of the ICO framework in present times may feel burdensome to companies that are already wrestling with the impact of a global pandemic and updating their data protection practices accordingly, besides now dealing with the $64,000 question of how to transfer data post the CJEU decision in Schrems II. Yet, an accountability framework is actually just the thing! It will assist any company or organisation to manage, monitor, review and improve its data protection function in times of need or to react to the latest hot topic, whether that is: adtech; data breach management; AI; enforcement; Brexit and the end of the transition period; or any other new challenge.
Wherever your accountability framework is at, whether at a mature stage or now just a concept, it would be prudent to consider the ICO's framework and determine how you are meeting the expectations of the UK regulator. Without wanting to induce GDPR fatigue or overly repeat the message, to state that the 25 May 2018 was never an end date remains a valid assertion. Whilst the second anniversary of the GDPR passed with little fanfare given the global pandemic, engaging with accountability will enable you to audit your own data protection practices such as policies, training, data retention, carrying out of a DPIA and identifying any areas of concern. Data protection and in particularly accountability, is not the responsibility of any one individual. It is a collective responsibility running throughout a company - top down, bottom up and laterally. How you established a culture of data protection whilst flexible is necessary and such a culture will provide the added advantage of greatly assisting and enhancing any accountability and compliance programme you have.
Lorna Cropper was on part time secondment at the Information Commissioner's Office during which she worked on accountability issues.