Don't reinvent the wheel - ICO's Accountability Framework
Ask five DPOs what needs to be in place to be ‘compliant’ with data protection legislation and you’ll get (at least) five different answers. As well as being impossible to manage, it leaves organisations open to risk that, when things to hit the fan, their interpretation may not have been the ‘right’ one.
UPDATE: If there are just too many words in the ICO Accountability Framework - take a look at the one-page data protection infographic I posted about here
The Data Protection Act and the UK GDPR are littered with words like ‘appropriate’ and ‘proportionate’ with little help to define what that means. On top of this there are some records that are explicitly required (Article 30), but many more areas where it suggests that records should be kept to support a decision or evidence a process.
I’ve had some success in using ISO 27701 (note the extra 7). It’s the Privacy ‘extension’ to the Information Security standard ISO 27001. It provides some independently assessable standards by which to judge the work of data protection teams. However it’s not widely used, and my experience has been that finding good external audit of the standard can be tricky.
Help might be at hand from the ICO. They’ve been working on some guidance for organisations to know what it means to meet the ‘Accountability’ principle. Like much of the ICO guidance I think it’s pretty good, but too long. Written to be practical and accessible but it still requires some effort to read it, let alone apply it. I’ll certainly be using it as a reference point for gap analysis and also for for implementing privacy management frameworks for clients though.
Have a look at the draft ICO Accountability Framework guidance pages here. Do let me know your thoughts. If you’re interested in adopting a framework like this (or ISO27701) for your organisation , and would like some support, or help with the planning, then please do drop me a line - +44 (0)20 3393 1899 or email: oliver@oliverwestmancott.com