The ICO exists to empower you through information.

We have launched a new Data Protection Audit Framework designed to help organisations assess their own compliance with key requirements under data protection law. The framework is an extension to the existing Accountability Framework. All existing content has been migrated into the new Audit Framework.

What is accountability?

Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.

It’s a real opportunity to show that you set high standards for privacy and lead by example to promote a positive attitude to data protection across your organisation.

Accountability enables you to minimise the risks of what you do with personal data by putting in place appropriate and effective policies, procedures and measures. These must be proportionate to the risks, which can vary depending on the amount of data being handled or transferred, its sensitivity and the technology you use.

Regulators, business partners and individuals need to see that you are managing personal data risks if you want to secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.

For more information about accountability, please read our guidance on accountability and governance.

How can I use the framework?

The framework is an opportunity for you to assess your organisation’s accountability. Depending on your circumstances, you may use it in different ways. For example, you may want to:

  • create a comprehensive privacy management programme;
  • check your existing practices against the ICO’s expectations;
  • consider whether you could improve existing practices, perhaps in specific areas;
  • understand ways to demonstrate compliance;
  • record, track and report on progress; or
  • increase senior management engagement and privacy awareness across your organisation.

The framework is divided into 10 categories, for example ‘Leadership and oversight’. Selecting a category will display our key expectations and a bullet-pointed list of ways you can meet our expectations. These are the most likely ways to meet our expectations, but they are not exhaustive. You may meet our expectations in slightly different or unique ways.

You can demonstrate the ways you are meeting our expectations with documentation, but accountability is also about what you actually do in practice so you should also review how effective the measures are.

Accountability is not about ticking boxes. While there are some accountability measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.

You will need to consider your organisation and what you are doing with personal data in order to manage personal data risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures in place should be.

To help you assess, report and improve your data protection compliance, you can complete our accountability self-assessment.

You can also use our accountability tracker if you want to record more detail and create an action plan to track your progress over time.