Sometimes just having the tools in place to mitigate data loss aren't enough.
In the European Union, under the data protection law in place there, the General Data Protection Regulation, organizations need to demonstrate accountability - essentially proof that they've put the requisite technical and organizational measures in place; a way to validate that what's in place is effective.
In the EU, accountability in relation to data protection can ultimately be traced back to Article 5(2) of the GDPR, which states that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles].”
To aid organizations in making sure they're complying with their accountability obligations under GDPR, the UK Information Commissioner’s Office (ICO) published an Accountability Framework last week.
The framework, released September 9, is designed to instruct organizations what they need to do and how to improve their compliance.
The framework has 10 separate categories that organizations can use to reflect on their accountability:
- Leadership and oversight
- Policies and procedures
- Training and awareness
- Individuals’ rights
- Transparency
- Records of processing and lawful basis
- Contracts and data sharing
- Risks and data protection impact assessments
- Records management and security
- Breach response and monitoring
Clicking through each category brings users to a checklist of sorts, noting why each is important and detailing steps to take to ensure categories are satisfied. For example, clicking through the transparency category briefs users on what transparency in data protection means, that it's especially paramount if the information you're processing relates to a child, and that privacy can act as a competitive advantage - if you protect an individual’s data, it instills confidence in you from the public, regulators, and business partners. That section of the framework also digs into what the ICO expects of organizations as it relates to transparency - privacy notice content, privacy information, and tools supporting transparency and control.
Other examples of data protection accountability measures include adopting and implementing data protection policies, maintaining documentation of processing activities, recording and reporting personal data breaches, and ensuring organizations have a data protection officer appointed.
With increased scrutiny being given to how companies are handling consumer data, not to mention a flurry of data privacy legislation, it could be the perfect time for the framework.
“Successfully embedding accountability will enhance your reputation as a business that can be trusted with personal data,” Ian Hulme, the ICO's Director of Regulatory Assurance said of the framework last week, “The public are increasingly demanding to be shown how their data is being used and how it is being looked after. They want to know that their personal data is in safe hands, and that you have put in place mechanisms to protect their information.”
While the Accountability Framework is technically still in its ‘beta phase,’ it could prove useful to organizations in the EU looking to be more cognizant of the requirements of accountability. The ICO is seeking comment on the framework's current iteration - whether it meet the needs of organizations and what can be improved - until November 2
The ICO periodically releases steps around data protection best practices. Just the other day, the office released a list of best practice for small organizations just starting out that touted the importance of knowing why you're holding or collecting people's data, ensuring there’s security measures in place, and the importance of transparency.
