The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What is accountability?

Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.

It’s a real opportunity to show that you set high standards for privacy and lead by example to promote a positive attitude to data protection across your organisation.

Accountability enables you to minimise the risks of what you do with personal data by putting in place appropriate and effective policies, procedures and measures. These must be proportionate to the risks, which can vary depending on the amount of data being handled or transferred, its sensitivity and the technology you use.

Regulators, business partners and individuals need to see that you are managing personal data risks if you want to secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.

For more information about accountability, please read our guidance on accountability and governance.

Who can use the framework?

You will find the Accountability Framework useful if you are responsible for putting appropriate measures in place to make sure that your organisation complies with data protection. You could be senior management, the data protection officer (DPO) or have records management or information security responsibilities.

The Accountability Framework can help to support any organisation, whether small or large, with their obligations. The key is that the measures you put in place must be appropriate, risk-based and proportionate. This depends on your organisation and what you are doing with personal data.

If you work for a smaller organisation you will most likely benefit, in the first instance, from the resources available on our SME hub, in particular the Assessment for small business owners and sole traders, and our Data protection self-assessment toolkit which has been created with smaller organisations in mind.

What is the scope of the framework?

This framework supports the foundations of an effective privacy management programme. It is not exhaustive and does not replace the need for you to comply with all applicable aspects of data protection, exercise your own judgement, and use other relevant guidance and materials such as the Guide to the General Data Protection Regulation (GDPR).

The framework is not sector-specific because we want it to be relevant to as broad an audience as possible. In time, we will include case studies to highlight practical experience across different sectors and differently sized organisations.

How can I use the framework?

The framework is an opportunity for you to assess your organisation’s accountability. Depending on your circumstances, you may use it in different ways. For example, you may want to:

  • create a comprehensive privacy management programme;
  • check your existing practices against the ICO’s expectations;
  • consider whether you could improve existing practices, perhaps in specific areas;
  • understand ways to demonstrate compliance;
  • record, track and report on progress; or
  • increase senior management engagement and privacy awareness across your organisation.

The framework is divided into 10 categories, for example ‘Leadership and oversight’. Selecting a category will display our key expectations and a bullet-pointed list of ways you can meet our expectations. This list is based on our experiences when working with organisations. It is not exhaustive, and organisations may meet our expectations in slightly different or unique ways.

You can demonstrate the ways you are meeting our expectations with documentation, but accountability is also about what you actually do in practice so you should also review how effective the measures are.

Accountability is not about ticking boxes. While there are some accountability measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.

You will need to consider your organisation and what you are doing with personal data in order to manage personal data risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures in place should be.

To help you assess, report and improve your data protection compliance, you can complete our accountability self-assessment.

You can also use our accountability tracker if you want to record more detail and create an action plan to track your progress over time.