Accountability framework self-assessment report

Your report

You can use this report to help you determine the next steps your organisation needs to take in order to comply with the accountability principle and to track your progress over time.

It can also work as a communications tool to help you to inform the appropriate individuals in your organisation, such as senior managers, of your current levels of compliance and what further action is needed to improve.

How to use this report

You can download this report as a Word document using the button on the top right corner of the page. The report contains a template for an action plan, which we suggest you complete. If you have an problem downloading the report into a word document please let us know.

You may find it easier to complete the report if you change the page orientation to landscape and turn on table gridlines (for more information, please see the help section of your word processing program).

Alternatively, we have created the Accountability Tracker, which is an excel document for you to complete. This consists of a list of the expectations and a drop down menu where you can reflect the ratings. We have added additional columns for you to populate that we think will help you make an actionable plan for improvement.

When devising improvement actions, we recommend you involve decision makers and people who will implement the actions. Your action plan should be agreed at a sufficient level of seniority with assigned responsibility for its delivery.

The table below reflects your answers to the self assessment.

Where you have indicated you are likely meeting or partially meeting our expectations we suggested that you record how you doing so.

Where you have indicated you are partially meeting or not meeting our expectation we suggest you record the actions you are taking to meet the expectation and the actions you need to take in order to fully meet it.

There are examples of ways you can meet our expectations in the Accountability Framework

Leadership and oversight

A fundamental building block of accountability is strong leadership and oversight. This includes making sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level. Some organisations legally require a DPO; but everyone must allocate sufficient resources and make sure that data protection is a shared responsibility, rather than solely the task of someone working directly in a data protection role. You make senior management and the board accountable, and they must lead by example to promote the organised, proactive and positive approach to data protection that underpins everything else.

There is an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.

My organisation is required to appoint a Data Protection Officer under Article 37 of the General Data Protection Regulations (GDPR).

Your organisation's operational roles support the practical implementation of data protection and information governance

An oversight group provides direction and guidance across your organisation for data protection and information governance activities.

In your organisation, operational level groups meet to discuss andcoordinate data protection and information governance activities.

Policies and procedures

Policies and procedures provide clarity and consistency, by communicating what people need to do and why. Policies can also communicate goals, values and a positive tone. Data protection law specifically requires you to put in place data protection policies where proportionate. What you have policies for and their level of detail varies, but effective data protection policies and procedures can help your organisation to take the practical steps to comply with your legal obligations. 

Your organisation's policies and procedures provide your staff with enough direction to understand their roles and responsibilities regarding data protection and information governance.

You have a review and approval process to make sure that policies and procedures are consistent and effective.

Staff are fully aware of the data protection and information governance policies and procedures that are relevant to their role.

Your policies and procedures foster a 'data protection by design and bydefault' approach across your organisation.

 Training and awareness

You have an all-staff data protection and information governance training programme

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Specialised roles or functions with key data protection responsibilities(such as DPOs, subject access and records management teams) receive additional training and professional development beyond the basic level provided to all staff.

Your organisation can demonstrate that staff understand the training.You verify their understanding and monitor it appropriately.

You regularly raise awareness across your organisation of data protection, information governance and associated policies and procedures in meetings or staff forums. You make it easy for staff to access relevant material.

Individuals’ rights

You inform individuals about their rights and all staff are aware of how to identify and deal with both verbal and written requests.

You have appropriate resources in place to handle requests from individuals about their personal data.

Your organisation logs receipt of all verbal and written requests from individuals and updates the log to track the handling of each request.

You deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.

Your organisation monitors how your staff handle requests and you use that information to make improvements.

Your organisation has appropriate systems and procedures to change inaccurate information, add additional information to incomplete records or add a supplementary statement where necessary.

You have appropriate methods and procedures in place within your organisation to erase, suppress or otherwise stop processing personal data if required.

Your organisation has appropriate methods and procedures in place to restrict the processing of personal data if required.

Individuals are able to move, copy or transfer their personal data from your organisation to another securely, without affecting the data.

Your organisation can protect individual rights related to automated decision-making and profiling, particularly where the processing is solely automated with legal or similarly significant effects.

Your organisation has procedures to recognise and respond to individuals' complaints about data protection, and individuals are made aware of their right to complain.

Transparency

Transparency is a key data protection principle which is fundamental to a ‘data protection by design and by default’ approach. It facilitates the exercise of individuals’ rights and gives people greater control. This is particularly important if the processing is complex or if it relates to a child. Proactively respecting people’s privacy can give you a competitive advantage by increasing the confidence of the public, regulators and business partners. Being open and honest about what you do with personal data will support contracting and data sharing with third parties.

Your organisation's privacy information or notice includes all the information required under Articles 13 and 14 of the GDPR.

You have a recorded procedure to make sure that privacy information is provided to individuals at the right time, unless an exemption applies.

Your organisation provides privacy information to individuals that is: concise; transparent; intelligible; clear; uses plain language; and communicated in a way that is effective for the target audience.

Your organisation is transparent about any processing relating to automated decision-making and profiling

Your organisation can demonstrate that any member of front-line staff is able to explain the necessary privacy information to individuals and provide guidance to them.

Your organisation has procedures to review the privacy information provided to individuals regularly to make sure that it is accurate, up-to date and effective.

You are open about how you use personal data, and offer tools to support transparency and control, especially when processing children’s personal data.

Records of processing and lawful basis

It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle and we may require you to provide these records to us. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately. 

Your organisation frequently carries out comprehensive data mapping exercises, providing a clear understanding of what information is held and where.

Your organisation has a formal, documented, comprehensive and accurate Record of Processing Activities (ROPA) based on a data mapping exercise, that is reviewed regularly.

Your ROPA contains all the relevant requirements set out in Article 30 of the GDPR.

Your organisation's ROPA includes links to other relevant documentation as a matter of good practice.

You document and appropriately justify your organisation's lawful basis for processing personal data in line with Article 6 of the GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).

You make information about the purpose of the processing and the
lawful basis publicly available. This is easy to locate, access and read.

Does your organisation rely on consent for the processing of personal data?

You comply with the GDPR’s consent requirements.

You proactively review records of previously gathered consent, which demonstrates a commitment to confirming and refreshing the consents.

Your organisation has effective systems in place to conduct risk-based age checks and, where required, to obtain and record parental or guardian consent.

Does your organisation rely on legitimate interest for the processing of personal data?

You have completed an appropriate Legitimate Interests Assessment (LIA) prior to starting the processing.

Contracts and data sharing

It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way. Similarly, written contracts help controllers and processors to demonstrate compliance and understand their obligations, responsibilities and liabilities. 

Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions.

You arrange and regularly review appropriate data sharing agreements with parties with whom you regularly share personal data.

Your organisation has procedures in place to make sure that restricted transfers are made appropriately.

You have appropriate procedures in place regarding the work that processors do on your behalf.

All of your controller-processor contracts cover the terms and clauses necessary to comply with data protection law.

You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet GDPR requirements.

Your organisation reviews data processors' compliance with their contracts.

Your organisation considers 'data protection by design' when selecting services and products to use in data processing activities.

Your organisation proactively takes steps to only share necessary personal data with processors or other third parties.

Risks and data protection impact assessments

The need to identify, assess and manage privacy risks is an integral part of accountability. Understanding the risks of the way you use personal data specifically is central to creating an appropriate and proportionate privacy management framework. A DPIA is a key risk management tool, and an important part of integrating ‘data protection by design and by default’ across your organisation. It helps you to identify, record and minimise the data protection risks of projects. DPIAs are mandatory in some cases and there are specific legal requirements for content and process. If you cannot mitigate a high risk, you must have a process for reporting this to the ICO.

Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.

You understand whether a DPIA is required, or where it would be good practice to do one. There is a clear DPIA policy and procedure.

DPIAs always include the appropriate information and are comprehensively documented.

You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.

Records management and security

Good records management supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies. Information security also supports good data governance, and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – it may even endanger lives in some extreme cases. 

You have minimum standards for the creation of records and effective mechanisms to locate and retrieve them.

You have appropriate security measures in place to protect data that is in transit, data you receive or transfer to another organisation.

You have procedures in place to make sure that records containing personal data are accurate, adequate and not excessive.

You have an appropriate retention schedule outlining storage periods for all personal data, which you review regularly.

You cover methods of destruction in a policy and they are appropriate to prevent disclosure of personal data prior to, during or after disposal.

You have an asset register that records assets, systems and applications used for processing or storing personal data across your organisation.

You identify, document and implement rules for the acceptable use of software (systems or applications) processing or storing information.

You limit access to personal data to authorised staff only and regularly review users’ access rights.

You prevent unauthorised access to systems and applications.

You have appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.

You secure physical business locations to prevent unauthorised access,damage and interference to personal data.

You have plans to deal with serious disruption, and you back up key systems, applications and data to protect against loss of personal data.

Breach response and monitoring

You need to be able to detect, investigate, risk-assess and record any breaches. You must report them as appropriate. Having effective processes in place helps you to do this. A personal data breach can have a range of adverse effects on individuals. There can be serious repercussions for organisations, their employees and customers, such as financial penalties (failure to notify a breach when required can result in a fine up to 10 million Euros or 2% of your global turnover), reputational damage, loss of business and disciplinary action. 

You have procedures in place to make sure that you detect, manage and appropriately record personal data incidents and breaches.

You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.

You have procedures to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

You review and monitor personal data breaches.

Your organisation has undertaken an external data protection and information governance audit or other compliance checking procedure.

Does your organisation have an internal audit programme?

Your organisation has business targets relating to data protection compliance and information governance, and you can access the relevant information to assess against them.

All relevant management information and the outcomes of monitoring and review activity are communicated to relevant internal stakeholders, including senior management as appropriate. This information informs discussions and actions.