The General Data Protection Regulation (GDPR) introduced an accountability principle, which requires data controllers to demonstrate their compliance with the law through internal data protection measures and practices. These could, and in some circumstances must, include:
- implementing data protection policies;
- recording your processing;
- taking a data protection by design and by default approach;
- having written contracts in place with processors;
- implementing appropriate security measures;
- recording and, where necessary, reporting data breaches;
- appointing a data protection officer;
- establishing processes for handling data subject rights’ requests; and
- carrying out data protection impact assessments.
We want to create a toolkit to help organisations to assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance to the ICO, the public, or a business customer.
This is the first stage of our consultation process, where we are looking for a wide range of views from organisations and individuals, across all sectors and organisational sizes. We want to hear from those who have responsibility for data protection and particularly would like to hear about:
- your current practice regarding accountability;
- what might lead to improvements;
- how we can support you in designing your own accountability framework; and
- what scope and structure may be most helpful.