Governance and accountability

At a glance

You should put systems in place to support and demonstrate your compliance with data protection legislation and conformance to this code. These should include implementing an accountability programme, having suitable data protection policies in place, providing appropriate training for your staff and keeping proper records of your processing activities.

In more detail

• What do you mean by ‘governance and accountability’?
• Why is it important?
• What do we need to do?
• What about certification schemes?

What do you mean by ‘governance and accountability’?

Governance and accountability means having systems in place to support and demonstrate compliance with data protection legislation and this code.

Why is it important?

It is important because it is a vehicle for you to build compliance as a long term sustainable activity across your business. It is a global concept which can work across jurisdictions and allow different approaches under different law to fit together. It is most successful when supported by Board level leadership.

Article 24(1) of the GDPR provides that:

“24(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation. Those measures shall be reviewed and updated where necessary.”

Article 5(2) of the GDPR says that you need to be able to demonstrate your compliance with the data protection principles:

“The controller shall be responsible for, and able to demonstrate compliance with paragraph 1 (accountability)”

What do we need to do?

Implement an accountability programme

You should implement an accountability programme to effectively address the standards in this code. This can be tailored to the size and resources or your business or organisation and the risks to children inherent in your online service. It should be driven by your DPO, if you have appointed one, and overseen by senior management at Board level if your business is structured in this way. For smaller businesses which may not have such formal structures it is still important to make sure that children’s privacy is understood by key personnel and is a seen as an important business priority and key accountability measure.

You should assess and revise the programme on an ongoing basis, building in changes to reflect the changing environment of children’s privacy.

You should report against the standards in this code in any internal or external accountability reports, introducing KPIs (key performance indicators) on children’s privacy to support this as appropriate.

Have policies to support and demonstrate your compliance with data protection legislation

You should have policies (proportionate to the size of your organisation) that document how your organisation ensures adherence to this code and the requirements of the GDPR and PECR. For larger organisations these should include appropriate board level reporting mechanisms and mechanisms to ensure adequate resourcing of relevant projects.

In particular you should ensure that your policies cover your obligations under Article 30(1) to keep a record of your processing activities.

Train your staff in data protection

In order to meet the requirements of the GDPR, any staff involved in the design of your ISS need to understand what those requirements are and how we expect them to be met. So you should make sure that your staff receive appropriate training in data protection and are aware of the provisions of the GDPR and this code.

Keep proper records

Under Article 30(1) of the GDPR you are required to keep the following records of your processing activities:

• the name and contact details of your organisation (and where applicable, of other controllers, your representative and your DPO);
• the purposes of your processing;
• a description of the categories of individuals and categories of personal data;
• the categories of recipients of personal data;
• details of your transfers to third countries including documenting the transfer mechanism safeguards in place;
• retention schedules; and
• a description of your technical and organisational security measures.

In the context of providing an online service this rule applies to you regardless of the size of your organisation. This is because the Commissioner considers that, given the vulnerability of children and the risks inherent in them being online, any such processing is likely to result in a risk to the rights and freedoms of children.

There are templates on our website that you can use to record these details.

You should also keep a record of your DPIA. This is a key document that you can use to demonstrate that you have properly considered and mitigated risks arising from your processing of children’s personal data. It should help you to demonstrate your thinking and decisions on:

• whether children are likely to access your online service;
• what ages of children are likely to access your online service; and
• what measures you have taken to comply with this code.

Be prepared to demonstrate your conformance to this code

You should be prepared to demonstrate your conformance to this code to the ICO if we ask you to do so. You can do this by firstly providing us with copies of your DPIA, relevant policies, training records, and records of processing activities. You may also need to provide evidence of how you have implemented the provisions of the code in your online service in practice. For example, by showing us your privacy notices, or explaining or demonstrating your default settings, online tools, complaint processes and approach to profiling.

What about certification schemes?

Article 42 of the GDPR provides a mechanism for the establishment of certification and data protection seal schemes by which data controllers could demonstrate their compliance with the GDPR.

This would be of particular benefit to children and their parents in making decisions about which online services to use (or allow their children to use) without having to assess the compliance and practice of the online service provider themselves.

It would also benefit you as a provider of an online service to give assurance to your customers and potential customers of your data protection compliance, thereby increasing consumer confidence in online service and brand.

As and when any such schemes become available and offer certification of adherence to this code, you will be able to use them to demonstrate your compliance in accordance with article 24(1) of the GDPR.