The ICO exists to empower you through information.

Control measure: There is an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.

Risk: The control environment to support well-informed decision-making may be ineffective if there is a lack of management focus on information governance. This may breach article 5(2) of the UK GDPR.

Ways to meet our expectations:

  • Assign overall responsibility for data protection and information governance to the board, or highest senior management level.
  • Promote a proactive, positive culture of data protection compliance and ensure decision-makers lead by example.
  • Establish clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.
  • Clearly set out in policies the organisational structure for managing data protection and information governance.
  • Set out responsibilities and reporting lines to management in job descriptions.
  • Ensure job descriptions are up-to-date, fit for purpose and reviewed regularly.
  • Ensure data protection and information governance staff understand the organisational structure and their responsibilities.

Options to consider:

  • Set out the overall framework and strategy for information governance in policy documentation.
  • Keep committee terms of reference (TOR) under review and make appropriate interventions if membership changes.
  • Keep organisational charts under review to ensure reporting lines for information governance remain up-to-date.

Have you considered the effectiveness of your accountability measures? 

  • Do staff report that your organisational structure is effective?
  • Is there a positive and proactive culture of data protection compliance across your organisation?
  • Are staff aware of their responsibilities and those of others within the structure? 

 

Control measure: If it is necessary to appoint a DPO under Article 37 of the UK GDPR, the DPO’s role is adequately supported and covers all the requirements and responsibilities.

Risk: By not appointing a DPO, where required, there is a risk of non-compliance with articles 37, 38, and 39 of the UK GDPR. There is a risk that no-one is responsible for monitoring internal compliance, informing and advising on data protection obligations, providing advice about DPIAs and acting as a contact point in privacy matters. Lack of proper resourcing may prevent the DPO from carrying out their role effectively. Lack of DPO independence may cause inappropriate bias in advice and monitoring activities.

Ways to meet our expectations:

  • Ensure the DPO has specific responsibilities in line with Article 39 of the UK GDPR for data protection compliance, data protection policies, awareness raising, training and audits.
  • Ensure the DPO has expert knowledge of data protection law and practices.
  • Ensure the DPO has the authority, support and resources to do their job effectively.
  • Document the decision and rationale for not appointing a DPO, if that is the case. 
  • If your organisation is not required to appoint a DPO, assign responsibility for data protection compliance and ensure there are enough staff and resources to discharge data protection compliance obligations.

Options to consider:

  • Task the DPO with monitoring compliance with data protection laws, data protection policies, awareness-raising, training, and audits.
  • Evidence that senior managers have considered the DPO’s advice on data protection obligations and matters.
  • Evidence that the DPO provides regular updates and reports to the highest level of management (eg group and committee meeting minutes).
  • Evidence that the DPO gives verbal advice and updates to senior managers who are making decisions about personal information processing and can raise concerns with the most senior level of management.

Have you considered the effectiveness of your accountability measures?

  • Could your DPO explain their responsibilities and how to carry them out effectively?
  • Does your DPO feel supported in their role? 

 

Control measure: The DPO is independent and unbiased. They report to the highest management level and staff are clear about how to contact them.

Risk: Lack of DPO independence may cause inappropriate bias in advice and monitoring activities. This may breach articles 37, 38, and 39 of the UK GDPR.

Ways to meet our expectations:

  • Educate staff so they who the DPO is, what their role is and how to contact them.
  • Involve the DPO in all data protection issues in a timely manner.
  • Demonstrate that you follow the DPO’s advice and take account of their knowledge about data protection obligations.
  • Ensure the DPO performs their tasks independently, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal information within your organisation.
  • Evidence that the DPO directly advises senior decision-makers and has the ability to raise concerns with the highest management level.
  • Ensure the DPO provides senior management with regular updates about data protection compliance.

Options to consider:

  • Evidence that there is no conflict of interest for any other tasks or duties assigned to the DPO.

Have you considered the effectiveness of your accountability measures?

  • Could your DPO explain their responsibilities and how they carry them out effectively?
  • Does your DPO feel supported in their role?
  • Is it easy for your DPO to get access to the highest-level management?
  • Can your staff explain what the DPO does and how to get in touch with them?

 

Control measure: There are operational roles in place to support the practical implementation of data protection and information governance.

Risk: If there is not an appropriate investment in privacy, it may cause insufficient risk mitigation and potentially lead to breaches. This may breach article 25 of the UK GDPR.

Ways to meet our expectations:

  • Ensure data protection and information governance staff have clear responsibilities to support your organisations data protection compliance.
  • Manage all records effectively and keep information secure.
  • Put in place a network of support or nominated data protection leads help to implement and maintain data protection policies at a local level.
  • Ensure data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.

Options to consider:

  • Include data protection and privacy-based considerations in internal policies and procedures, where appropriate.
  • Actively raise privacy awareness through campaigns, promotional materials and communication forums.
  • Set data protection compliance objectives at the highest level of management.
  • Ensure management lead by example and promote a proactive, positive culture of data protection compliance.
  • Appoint data protection champions in key areas of the organisation to support the data protection agenda at an operational level and promote awareness. 

Have you considered the effectiveness of your accountability measures?

  • Are staff job descriptions accurate and up to date?
  • Could staff explain their role and responsibilities in detail and how these are achieved in practice?
  • Do they feel supported?

 

Control measure: There is an oversight group which provides direction and guidance across your organisation for data protection and information governance activities.

Risk: There may be a lack of coordination without an oversight group in place. Strategic management may be misinformed or misled, resulting in breaches. This may breach articles 5(2) and 39 of the UK GDPR.

Ways to meet our expectations:

  • Ensure key staff, eg the DPO, regularly attend the oversight group meetings.
  • Ensure an appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).
  • Document clear terms of reference that set out the group's aims.
  • Take detailed meeting minutes to record discussions, actions and decisions.
  • Ensure the group covers a full range of data protection-related topics including key performance indicators (KPIs), issues and risks.
  • Feed outcomes into a work or action plan and regularly review the plan.
  • Report data protection and information governance issues and risks covered at the oversight group to the board or highest management level.

Options to consider:

  • Keep group membership under review, so that it comprises role holders with data protection and information security responsibilities. 
  • Put mechanisms in place for staff at all levels to raise data protection issues (eg an online form).
  • Cascade the minutes and KPI reports to operational level teams and meetings.
  • Seek regular feedback from operational teams on data protection concerns and feed this into the oversight steering group or committee meeting agenda. 

Have you considered the effectiveness of your accountability measures?

  • Do group members report that the meetings are effective?
  • Do they meet frequently enough and cover appropriate topics?
  • Are senior management aware of the issues and risks?

 

Control measure: There are operational level groups that meet to discuss and coordinate data protection and information governance activities.

Risk: Without discussions on data protection at an operational level, communication and direction from oversight and senior management may not be implemented or embedded. Local or operational problems may not be communicated or reported to senior management in a timely fashion. This may breach articles 5(f), 5(2), and 32 of the UK GDPR, or DPA 2018 sections 34(3), 40, and 66.

Ways to meet our expectations:

  • Ensure the groups meet regularly and are attended by relevant staff.
  • Take and produce minutes of the meetings and action plans.
  • Discuss appropriate data protection and information governance issues in the group.
  • Report any data protection and information governance issues and risks that arise to the oversight group.

Options to consider:

  • Put in place action plans from the groups.
  • Gain staff feedback on the effectiveness of these mechanisms. 

Have you considered the effectiveness of your accountability measures?

  • Would the group members say that the meetings are effective?
  • Do they meet frequently enough and cover appropriate topics?
  • Is the oversight group aware of the issues and risks?