Navigating the Accountability Framework

Leadership and oversight

You should consider:

• • • Organisational structure
    • Whether to appoint a DPO
    • Appropriate reporting
    • Operational roles
    • Group to provide oversight and direction
    • Operational group meetings

Transparency

You should consider:

• Privacy notice content
• Timely privacy information
• Effective privacy information
• Automated decision-making and profiling
• Staff awareness
• Privacy information review
• Tools supporting transparency and control

Records management and security

You should consider:

• • • Creating, locating and retrieving records
    • Security for transfers
    • Data quality
    • Retention schedule
    • Destruction
    • Information Asset Register
    • Rules for acceptable software use
    • Access control
    • Unauthorised access
    • Mobile devices, home or remote working and removable media
    • Secure areas
    • Business continuity, disaster recovery and back-ups

Individuals’ rights

You should consider:

• Informing individuals and identifying requests
• Resources
• Logging and tracking requests
• Timely responses
• Monitoring and evaluating performance
• Inaccurate or incomplete information
• Erasure
• Restriction
• Data portability
• Rights relating to automated decision-making and profiling
• Individual complaints

Contracts and data sharing

You should consider:

• • • Data sharing policies and procedures
    • Data sharing agreements
    • Restricted transfers
    • Processors
    • Controller-processor contract requirements
    • Processor due diligence checks
    • Processor compliance reviews
    • Third-party products and services
    • Purpose limitation

Records of processing and lawful basis

You should consider:

• Data-mapping
• Records of processing activities (ROPA)
• ROPA requirements
• Good practice for ROPAs
• Documenting your lawful basis
• Lawful basis transparency
• Consent requirements
• Reviewing consent
• Risk-based age checks and parental/guardian consent
• Legitimate Interest Assessment (LIA)

Training and awareness

You should consider:

• • All staff training programme
    • Induction and refresher training
    • Specialised roles
    • Monitoring
    • Awareness-raising

Breach response and monitoring

You should consider:

• Detecting, managing and recording incidents and breaches
• Assessing and reporting breaches
• Notifying individuals
• Reviewing and monitoring
• External audit or compliance check
• Internal audit programme
• Performance and compliance information
• Use of management information