Why is this important?
A fundamental building block of accountability is strong leadership and oversight. This includes making sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level. Some organisations legally require a DPO; but everyone must allocate sufficient resources and make sure that data protection is a shared responsibility, rather than solely the task of someone working directly in a data protection role. You make senior management and the board accountable, and they must lead by example to promote the organised, proactive and positive approach to data protection that underpins everything else.
At a glance – what we expect from you
- Organisational structure
- Whether to appoint a DPO
- Appropriate reporting
- Operational roles
- Group to provide oversight and direction
- Operational group meetings
Organisational structure
There is an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.
Ways to meet our expectations:
- The board, or highest senior management level, has overall responsibility for data protection and information governance.
- Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.
- You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.
- Policies clearly set out the organisational structure for managing data protection and information governance.
- Job descriptions clearly set out responsibilities and reporting lines to management.
- Job descriptions are up-to-date, fit for purpose and reviewed regularly.
- Data protection and information governance staff understand the organisational structure and their responsibilities.
Have you considered the effectiveness of your accountability measures?
- Do staff report that your organisational structure is effective?
- Is there a positive and proactive culture of data protection compliance across your organisation?
- Are staff aware of their responsibilities and those of others within the structure?
Whether to appoint a DPO
If it is necessary to appoint a DPO under Article 37 of the UK GDPR, your organisation makes sure that the DPO’s role is adequately supported and covers all the requirements and responsibilities.
Ways to meet our expectations:
- The DPO has specific responsibilities in line with Article 39 of the UK GDPR for data protection compliance, data protection policies, awareness raising, training and audits.
- The DPO has expert knowledge of data protection law and practices.
- The DPO has the authority, support and resources to do their job effectively.
- If your organisation is not required to appoint a DPO, you record the decision.
- If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.
Have you considered the effectiveness of your accountability measures?
- Could your DPO explain their responsibilities and how to carry them out effectively?
- Does your DPO feel supported in their role?
Appropriate reporting
The DPO is independent and unbiased. They must report to the highest management level and staff must be clear about how to contact them.
Ways to meet our expectations:
- Staff know who the DPO is, what their role is and how to contact them.
- All data protection issues involve the DPO in a timely manner.
- Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.
- The DPO performs their tasks independently, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.
- The DPO directly advises senior decision-makers and raises concerns with the highest management level.
- The DPO provides senior management with regular updates about data protection compliance.
Have you considered the effectiveness of your accountability measures?
- Could your DPO explain their responsibilities and how they carry them out effectively?
- Does your DPO feel supported in their role?
- Is it easy for your DPO to get access to the highest level management?
- Can your staff explain what the DPO does and how to get in touch with them?
Operational roles
Your organisation’s operational roles support the practical implementation of data protection and information governance.
Ways to meet our expectations:
- Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.
- Your staff manage all records effectively and they keep information secure.
- A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.
- Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.
Have you considered the effectiveness of your accountability measures?
- Are staff job descriptions accurate and up to date?
- Could staff explain their role and responsibilities in detail and how these are achieved in practice?
- Do they feel supported?
Oversight groups
An oversight group provides direction and guidance across your organisation for data protection and information governance activities.
Ways to meet our expectations:
- Key staff, eg the DPO, regularly attend the oversight group meetings.
- An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).
- Clear terms of reference set out the group's aims.
- The group's meeting minutes record what takes place.
- The group covers a full range of data protection-related topics including key performance indicators (KPIs), issues and risks.
- The group has a work or action plan that is monitored regularly.
- The board or highest management level considers data protection and information governance issues and risks reported by the oversight group.
Have you considered the effectiveness of your accountability measures?
- Do group members report that the meetings are effective?
- Do they meet frequently enough and cover appropriate topics?
- Are senior management aware of the issues and risks?
Operational group meetings
In your organisation, operational level groups meet to discuss and coordinate data protection and information governance activities.
Ways to meet our expectations:
- The groups meet and are attended by relevant staff regularly.
- The groups produce minutes of the meetings and action plans.
- The agenda shows the groups discuss appropriate data protection and information governance issues regularly.
- Any data protection and information governance issues and risks that arise are report to the oversight group.
Have you considered the effectiveness of your accountability measures?
- Would the group members say that the meetings are effective?
- Do they meet frequently enough and cover appropriate topics?
- Is the oversight group aware of the issues and risks?
Further reading
ICO guidance:
ICO interactive tool:
External guidance:
- The National Archives: Organisational arrangements to support records management
- Centre for the Protection of National Infrastructure: Good security governance and Leadership in security
- National Cyber Security Centre: 10 Steps to Cyber Security – A Board-level responsibility
- Get Safe Online: Governance