How do you benchmark your Privacy compliance?
If you’re covered by GDPR, even if you’re not in the UK, there’s a good chance you’re thinking of the popular, gold-standard benchmark from UK Information Commissioner’s Office – the Accountability Framework.
In this blog we’ll break down exactly what the Accountability Framework is and call out 5 pros and 5 cons.
GDPR is built on 7 Principles and the 7th is Accountability: the controller is responsible for, and able to demonstrate compliance with, the other 6 GDPR Principles.
So Accountability has 2 parts:
A benchmark, or framework, is a great way to drive, measure and demonstrate all areas of your compliance for Accountability. A benchmark isn’t everything by any means. But it gives your governance purpose and demonstrability.
You could benchmark yourself against the GDPR directly but more likely, you’ll benchmark against a more usable proxy framework such as ones from suppliers like Keepabl, or one published by a regulator such as the UK ICO.
Because the ICO is the UK’s data protection authority, and they’ve a strong reputation for publishing very practical and professional guidance, there’s clearly a lot of benefit in using their popular Accountability Framework. And, given it’s based on GDPR, and there aren’t too many others published by DPAs, we understand it’s also well-used outside the UK.
That’s Accountability, why the AccountabIlity Framework exists, and why it’s so popular. Here’s how it’s structured.
There’s three main ways to use the Framework:
There’s far more detail in the website guidance and in the Excel than the online self-assessment. And, from our experience, it’s the Excel version that most consultants and organisations use and mean when they talk about the Accountability Framework. It’s because of that detail and because it creates valuable, reusable scores and dashboards. So we’ll focus on the Excel version of the Framework.
The Framework has three distinct levels. Here’s how it breaks down:
In the Excel version, there are the 10 Categories, 77 Expectations and 338 statements or questions. It’s pretty detailed and, as the ICO says itself:
‘If you work for a smaller organisation you will most likely benefit, in the first instance, from the resources available on our SME hub, in particular the [toolkits created with smaller organisations in mind] Assessment for small business owners and sole traders, and our Data protection self-assessment toolkit which has been created with smaller organisations in mind.’
At the top level there are 10 major Categories, from Leadership, through Policies & Procedures, to Risks and Security.
At the second level, within each Category, are various Expectations – actions that the ICO would expect you to take for compliance in the relevant Category. While Expectations sit below the Categories at the second level, they’re still pretty broad.
As an example, within the Leadership Category, an Expectation is:
‘There is an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.’
And at the 3rd level, each Expectation itself then contains a number of more detailed Statements or Questions. As the ICO states:
‘These are the most likely ways to meet our expectations, but they are not exhaustive. You may meet our expectations in slightly different or unique ways.’
As an Example, within that Leadership Expectation, a statement is:
‘The board, or highest senior management level, has overall responsibility for data protection and information governance.’
Now let’s look at five pros and five cons of the Accountability Framework.
Number 1: if you’re in IT or Security and looking after Privacy at your organisation or you’re a Privacy consultant advising your client, the first major benefit is that you’re recommending your organisation uses the gold-standard official benchmark from the UK regulator.
That’s a safe harbour for you – they can’t say you chose the wrong benchmark. As the old saying goes ‘you don’t get fired for hiring IBM’.
The second major benefit is that, if you’re unlucky enough for the ICO to look at your organisation, it can tell the ICO it’s using the ICO’s own official benchmark. That’s a safe harbour for your organisation – the ICO can’t complain about your choice!
These two are the major reasons why we hear customers and consultants choose the ICO’s Accountability Framework. Let’s look at three other benefits, which also come with their own disadvantages…
Our third Pro – and our first Con – is that the Accountability Framework is super comprehensive, and that’s a double-edged sword. As we saw, in the Excel there are 338 questions to answer so this isn’t a quick task; it’s a commitment.
The benefit is that you’re going to get a very full framework, but the ICO itself suggests that one of its other frameworks is a likely better starting point for smaller organisations. Even large entities can find that, in practice, the Accountability Framework is hard to score well on.
This brings us to our second Con – the ICO’s Accountability Framework is not only very detailed, in places it does go beyond the minimum for GDPR compliance into DPA interpretation, perhaps even wishlist, territory and this may not be achievable by many organisations.
For example in Leadership, at the third, more detailed level, the Framework asks that there’s an ‘Oversight Group’ that meets regularly and reports into the Board, with Operational Groups reporting into the Oversight Group on data protection matters.
This structure is fine for a larger organisation but will likely be a tough ask for most SMEs. So you’ll probably look to emulate this as appropriate in your SME, meaning you’re already diverging from the Framework’s exact wording.
Our fourth Pro is that the Excel version of the UK ICO’s Framework has an automatic and helpful dashboard showing you your overall position and then breaking that down into the 10 main Categories, it’s really good.
The online self-assessment doesn’t do this, you get a report on the ICO’s webpage which you can download to save as a Word doc but not return to.
Which brings us to our third Con – Excel is great, we love Excel and you can upload and download as Excel within Keepabl, but Excel is limited in terms of sharing, duplicate copies and version control. SaaS makes it all come alive.
Our fifth and final Pro is that the Excel version has fields to enter comments and tasks (the ICO calls them actions). Again, the online self assessment version doesn’t have this functionality.
Our fourth Con is that you do get tasks in the Excel, but it’s in Excel; they’re not personalised for individuals and this is related to our fifth Con. For the Excel and online self-assessment you don’t get other SaaS benefits such as alerts to users or the ability to upload documents, or for example give tailored online view or edit access as you can get in SaaS (and we provide these benefits in our implementation in Keepabl).
So there are! Our five Pros and five Cons but those two major pros really outweigh the rest: you as an individual and your organisation cannot be faulted for choosing the ICO’s published gold-standard benchmark, which is comprehensive and respected.
Now, what about Brexit reforms? In September 2022, the UK Draft Bill was paused given the new Prime Minister, and at the time of writing we’re all waiting to see what will happen next.
But even if it comes back with a vengeance, the UK government’s proposals don’t reduce the need for Privacy Governance; you still need leadership, training, policies, good contracts, inventories of personal data, risk assessment and security.
Keepabl has a great side-by-side comparison on RoPAs, DPOs, DPIAs and DSRs, the link is in the note. But whatever happens, the Framework is likely to continue in a similar form to today with some slight changes.
There’s another UK ICO published benchmark you should know about that the ICO: ‘created with small organisations in mind. It will be most helpful to small to medium sized organisations from the private, public and third sectors.’
It’s the Data Protection Self-Assessment Toolkit. We highly recommend you look at this toolkit, made up of 7 separate checklists totalling 119 questions. It’s more focused on practical steps and it’s more achievable, while covering your obligations in GDPR and other UK data protection law.
So many customers and consultants asked us to incorporate the UK ICO’s Accountability Framework in Keepabl, we’ve done it under government licence. You can now enjoy the combined benefits of using the official ICO Accountability Framework with all the benefits of a SaaS version, addressing the concerns above and delivering integrated benefits for your full Privacy Governance.
If you’re looking to stay on track with your Privacy obligations, why not request a free trial of Keepabl’s Privacy Management Software today and see how the new ICO Accountability Benchmark, alongside our other tools, can make a big difference to your compliance.
As an IAPP member, Keepabl is proud to sponsor the IAPP Data Protection Intensive: UK 2019 and to run a session on breach in the first morning (Wednesday 13th at 10:40).…