The ICO exists to empower you through information.

We have launched a new Data Protection Audit Framework designed to help organisations assess their own compliance with key requirements under data protection law. The framework is an extension to the existing Accountability Framework. All existing content has been migrated into the new Audit Framework.

Introduction to the Accountability Framework

At a glance

Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.

The Accountability Framework can help any organisation, whether small or large, with their obligations.

The framework is divided into 10 categories and contains expectations and examples of how your organisation can demonstrate your accountability.

As a starting point, we’d advise reading the Guide to the UK GDPR section on accountability first.

Who can use the framework?

You will find the Accountability Framework useful if you are responsible for putting appropriate measures in place to make sure that your organisation complies with data protection. You could be senior management, the data protection officer (DPO) or have records management or information security responsibilities.

The Accountability Framework can help to support any organisation, whether small or large, with their obligations. The key is that the measures you put in place must be appropriate, risk-based and proportionate. This depends on your organisation and what you are doing with personal data.

If you work for a smaller organisation you will most likely benefit, in the first instance, from the resources available on our SME hub, in particular the Assessment for small business owners and sole traders, and our Data protection self-assessment toolkit which has been created with smaller organisations in mind.

What is the scope of the framework?

This framework supports the foundations of an effective privacy management programme. It is not exhaustive and does not replace the need for you to comply with all applicable aspects of data protection, exercise your own judgement, and use other relevant guidance and materials such as the Guide to the UK General Data Protection Regulation (GDPR).

The framework is not sector-specific because we want it to be relevant to as broad an audience as possible. In time, we will include case studies to highlight practical experience across different sectors and differently sized organisations.

Take a self-assessment

The accountability self-assessment will help you to assess the extent to which your organisation is currently meeting the ICO’s expectations in relation to accountability.

Use the Tracker

The accountability tracker is a tool to help you record detail and track your progress over time.