The ICO has issued a consultation on an accountability toolkit. The General Data Protection Regulation 2018 introduced an accountability principle, which requires data controllers to demonstrate their compliance with the law through internal data protection measures and practices. These could, and in some circumstances must, include:
- implementing data protection policies;
- recording an organisation’s processing;
- taking a data protection by design and by default approach;
- having written contracts in place with processors;
- implementing appropriate security measures;
- recording and, where necessary, reporting data breaches;
- appointing a data protection officer;
- establishing processes for handling data subject rights’ requests; and
- carrying out data protection impact assessments.
The ICO plans to create a toolkit to help organisations to assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance to the ICO, the public, or a business customer.
This is the first stage of the ICO’s consultation process, where it is looking for views on:
- current practice regarding accountability;
- what might lead to improvements;
- how the ICO can provide support on designing an accountability framework; and
- what scope and structure may be most helpful.
The consultation ends on 9 December 2019. The ICO has also published a blog post on the issue.