The ICO has recently published in 'beta' its proposed data protection accountability framework, which reflects obligations on Data Controllers under Article 5(2) and 24 GDPR to be able to demonstrate compliance with data protection legislation.
The most useful aspect of the framework is the 'self assessment toolkit' which provides a free-to-use self-inspection system for compliance measures. As a 'one size fits all' tool, not all of the points within it will be relevant for all organisations, but the framework offers insights into the ICO's approach to audits (which can be requested voluntarily by data controllers, or required by the ICO) and some helpful ways of thinking about 'demonstrable compliance' with many of the key parts of GDPR.
Many of our healthcare clients will be subject to the Data Security and Protection Toolkit and the audit arrangements that go with that , but for housing, regulatory and other organisations (or for NHS organisations considering other ways of demonstrating compliance with GDPR), the Framework has some useful tools.
The ICO welcomes feedback on the Framework.
If you have any information law questions arising from the Framework or more generally, please let me know.
Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.