The GDPR (and the DPA18 which writes this Regulation in to UK law) sets out under Article 5 the principles that relate to the processing of personal data. These principles can be condensed into: –
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Paragraph 2 of Article 5 states that “the controller shall be responsible for, and be able to demonstrate compliance with, [the principles outlined in] paragraph 1”. This is known as the ‘Accountability Principle’, which requires the controller to take responsibility for what they do with personal data and how they comply with the principles noted above.
It is a legal requirement for individuals or businesses processing personal data to have effective and appropriate controls, measures and records in place to demonstrate compliance with the main Article 5 principles, as well as the other GDPR and DPA18 rules.
The ICO have extensive guidance on which areas are important and examples of how organisations can meet the expectations for accountability on their Accountability Framework page.Visit The Accountability Framework
The Accountability Framework is divided into 10 categories: –
- Leadership and oversight
- Policies and procedures
- Training and awareness
- Individuals’ rights
- Records of processing and lawful basis
- Contracts and data sharing
- Risks and data protection impact assessments
- Records management and security
- Breach response and monitoring
Last month the ICO published a free online assessment tool to work alongside the framework, aimed at helping firms assess their compliance with the accountability principle and offering guidance on the controls and measures that those handling personal data should have in place.
There is no mandatory requirement to complete the self-assessment and the results remain confidential, but the online tool does provide 50 assessment questions to help firms meet the ICO’s expectations in relation to accountability.
If you are new to processing personal data or are just looking to upgrade your existing data protection policies, take a look at our trio of GDPR/DPA18 policy packs and data protection toolkits.
With over 4000 organisations using our documents, including High Street names, the NHS and government departments; we are one of the market leaders in compliance policy templates and toolkits.