This consultation has closed

The General Data Protection Regulation (GDPR) introduced an accountability principle, which requires data controllers to demonstrate their compliance with the law through internal data protection measures and practices. These could, and in some circumstances must, include:

  • implementing data protection policies;
  • recording your processing;
  • taking a data protection by design and by default approach;
  • having written contracts in place with processors;
  • implementing appropriate security measures;
  • recording and, where necessary, reporting data breaches;
  • appointing a data protection officer;
  • establishing processes for handling data subject rights’ requests; and
  • carrying out data protection impact assessments.

We want to create a toolkit to help organisations to assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance to the ICO, the public, or a business customer.

This is the first stage of our consultation process, where we are looking for a wide range of views from organisations and individuals, across all sectors and organisational sizes. We want to hear from those who have responsibility for data protection and particularly would like to hear about:

  • your current practice regarding accountability;
  • what might lead to improvements;
  • how we can support you in designing your own accountability framework; and
  • what scope and structure may be most helpful.

You can respond to this consultation via our online survey or you can download the document and email it to:

Alternatively, print off the document and post to:

Accountability toolkit snap survey
Assurance Department
Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire SK9 5AF

You can find guidance about accountability in our Guide to the GDPR. If you would like further information about the consultation, please email the team.

Please send us your response by 17:00 on Monday 9 December 2019.

Privacy statement

For this survey, we will publish all responses received from organisations but we will remove any personal data before publication. We will not publish responses received from respondents who have indicated that they are an individual acting in a private capacity (e.g. a member of the public). For more information about what we do with personal data see our privacy notice