We were delighted to be joined in Privacy Kitchen by Chris Taylor, the UK ICO’s Head of Assurance whose team set up the ICO Sandbox, manages the ICO’s guidance and created and maintains the regulator’s gold-standard GDPR benchmark, the Accountability Framework.
Chris was really transparent and gamely answered all our questions 😀 giving everyone real insight into this very popular framework, from
You can see the full interview here. We’ve put a summary of key points on 15 questions below.
This is Keepabl’s summary of the conversation on 29 November 2022. It’s not an official ICO FAQ. To hear exactly what Chris said – and we recommend you do, it’s a great interview – we’ve put the timestamp from the video on the FAQs. So do drop in and hear Chris himself on the areas that matter most to you.
The Framework’s origins trace back to the Accountability Principle in GDPR and the recognition by the ICO, under Elizabeth Denham the previous Commissioner, that organisations were challenged in knowing what they need to do, in practice, to be able to demonstrate their GDPR compliance.
That led to a commitment in the ICO’s last strategic plan to, at a high level, create, support and foster a culture of accountability in data controllers and in processors, which was the genesis for the Accountability Framework.
The Accountability Framework won an award last year at the Global Privacy Assembly, so there’s certainly recognition at an international level! At the time of recording (29 November 2022), while there are many frameworks out there such as ISO 27701 and NIST, and various DPAs have published frameworks and benchmarks, there doesn’t seem to be another DPA creating a product exactly like the ICO’s Accountability Framework, in terms of its breadth and depth.
Robert Baugh, Keepabl’s CEO, noted it’s a benefit that there aren’t multiple 338-question frameworks by different DPAs, which would make it harder for organisations, so in Robert’s view, it’s great that the ICO’s Framework is currently the only DPA-issued one at present.
The Accountability Framework sets out what the ICO sees as good practice in Privacy Management. Any action that the ICO takes will always be grounded in the underpinning legislation rather than the use of their particular tools. The Framework is there to support organisations and the ICO may point organisations at it, if they’re looking to enhance their practices or if they’re looking to improve how they’re going about Privacy Management, but the Framework is not the starting point. The Framework is very much there to help promote compliance and help people trying to comply with their obligations.
The ICO has clear uptake and feedback on its use from organisations in particular that have a developed approach to Privacy Management to a certain extent already, and they’re looking to use a new benchmark or to evolve what they’re doing. Realistically, it’s unlikely that someone who is starting out on day one of their compliance journey would pick up the Accountability Framework and just start implementing it. The Framework is meant as a tool that the ICO hopes people will adapt, apply to their area and then consider how to how to make it relevant to them.
For organisations that are perhaps more immature in that in their Privacy journey, there are other ICO products that may be a better place to start, like the checklists in the ICO’s SME Hub. And it could be that, as they enhance what they do and develop their approach, then the Framework becomes more relevant to them.
Robert noted there can be benefit in doing both, as for example the SME Hub includes a checklist on areas such as Marketing.
The Accountability Framework is intended as a layered framework. It’s built with 10 categories, within which are what the ICO calls their expectations, and then ways to meet those expectations. While the Framework includes guidance setting out the kinds of things the ICO might expect people to have in place, it’s the high level expectation that is most likely to be indicative of a really good practice.
The suggested ways to meet those expectations are a starting point for a conversation in your organisation about how you might look to meet the high level expectation. If the ICO’s suggestion works, great, and if it doesn’t, the organisation can consider ways for it to meet that overarching expectation that are more appropriate for the organisation depending, for example on the type of organisation and the kind of processing they’re involved with.
Privacy Kitchen has a great video explaining the structure of the ICO’s Accountability Framework with 5 Pros and 5 Cons.
There’s quite a lot of information and content in there, and people will be at different stages on their compliance journey. So taking it a bit at a time is entirely sensible and appropriate. You could choose to have a particular focus on a particular area over a period of time, then move on to others. This is all in keeping with the intention of it being an adaptable tool that can be used in ways that best suit organisations.
The Framework is indeed focused on UK GDPR implementation, not PECR. It’s not impossible that, in future, the ICO might consider extending it to PECR – or other areas such as Part 3 and Part 4 processing.
There’s always the potential for that to develop in the coming year or two as the ICO reviews priorities, though nothing is in the works at the moment.
Robert noted the ICO’s Marketing checklist in the SME Hub, and suggested there’s benefit in having separate Frameworks for PECR and GDPR, given how the e-Privacy Directive is implemented in national laws across the EEA. A framework for GDPR, such as the ICO’s, can be applied across Europe and the UK.
Robert noted that Keepabl has its own BenchMark against GDPR and PECR, which is a more strategic-level framework with 80 questions, compared to the ICO’s 338-question Accountability Framework. Robert continued that a typical first score on Keepabl’s BenchMark is around 20%, that it’s hard to get over 60% without policies and procedures in place, and that it is possible to aim for 100%.
What Keepabl has heard on scores for the ICO’s Accountability Framework is similar in that typical opening scores are in the same 16% to 20% region, but that it’s very hard indeed to get above 80%. (For example, see our excellent Privacy Kitchen video with leading UK Privacy Consultant Tash Whitaker on the Accountability Framework in practice and Top Tips for success.)
So how did the ICO view scores achieved on the Framework?
Chris first noted that it’s worth going back to the primary purpose of the Framework: to assist people in enhancing their compliance practices. The ICO isn’t therefore expecting everybody to use it or, if they do, to get say 95% or 93%, they’re not fixated on hard numerical scores. As all Privacy pros will recognise, Chris noted that Privacy compliance is not something that is just done and completed, it’s always a developing process. As people’s businesses and processes evolve, new compliance issues will come into view and others will go away.
As in his other answers, Chris recommended people first engage with the Framework and, to a certain extent, not be overly concerned or fixated on the numerical score that comes out at the end. What’s important is that people are using the Framework as a way to improve and enhance their practices. If somebody starts at 20% and develops beyond that, then that’s good in terms of enhancing compliance outcomes. Similarly, if people are hitting 70% or 80% that’s good too but the ICO is primarily keen to see the Framework out there helping organisations to improve their Privacy compliance.
Chris acknowledged that this is a really interesting challenge for regulators, particularly with principles-based legislation. People often ask the ICO for greater specificity and certainty over how the ICO will address particular issues and or deal with particular topics, and the ICO wishes to assist whilst also preserving the flexibility, proportionality and risk-based approach that’s intended within the legislation to start off with.
Chris noted that the Framework operates somewhere in the middle, in that it provides greater certainty, greater clarity to people about what good Privacy Management practice looks like while still recognising that it will need to be flexible, and will need to be adapted depending on the nature of what you’re doing. Plus, as Chris already noted, compliance is fundamentally judged against the legislation rather than the tools the ICO provides.
Robert noted that he’d put this as a devil’s advocate question, because in Robert’s view whether something is treated as a tick-box exercise by an organisation is more to do with the culture of the organisation than the thing itself, whether that’s the Framework or ISO 27001 or SOC2 for example. It’s about how people approach it.
And indeed the ICO states on its website:
Accountability is not about ticking boxes. While there are some accountability measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.
You will need to consider your organisation and what you are doing with personal data in order to manage personal data risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures in place should be.
The ICO’s website states: ‘The framework is not sector-specific because we want it to be relevant to as broad an audience as possible. In time, we will include case studies to highlight practical experience across different sectors and differently sized organisations.‘
Chris noted that this aim fed into why the ICO settled on having more than one kind of product within the Framework. People will be familiar with the fact that there’s a traditional ‘nested’ guidance element, with the website guidance, the online assessment against the expectations, and the more detailed Excel download.
Robert noted this is explained further in our Bite Size video on Privacy Kitchen and that, when when we talk about the Accountability Framework with people in the industry, everybody generally means the Excel version, the Accountability Tracker because it has the detail, the scoring, the dashboard, and they can keep it and update it.
Robert noted that much of the way that Keepabl sees it being used in practice is very internal. An organisation will be using this internally, whether by themselves or with a consultant, and it’s to show the team where they’re going what they need to focus on. They can also show the board, sometimes they will tailor it – some add a PECR tab for example, or further reporting, but they’re not showing it externally. Does this match the ICO’s intent and how are they seeing it used?
Chris felt that matched the ICO’s expectations and how they hear it is being used in practice as well. It certainly hadn’t been designed, certainly for example from a user design perspective, as something that the ICO would expect organisations to display publicly.
The ICO received good feedback during the consultation exercises, around whether the Framework met external users expectations, and they’re seeing that continue. The ICO has published some case studies on their website on organisations that have taken it on, and the ICO is receiving good, consistent, strong anecdotal feedback that it’s playing an important role for people in helping in helping them in the kind of ways that it was intended, so the ICO is happy with how the Framework has gone.
Robert noted that the ICO’s website states: ‘There will be an annual review of the content of the Framework to ensure it’s up-to-date‘ and that the government has said it will continue with reform to the UK GDPR, reintroducing the DPDI Bill in due course, and asked Chris if any updates are imminent.
Chris noted that the ICO is working through possible impacts from reforms across all ranges of its activity. It’s useful to revisit that to an extent the Accountability Framework is based on the ICO’s experience supervising the regulation, not just since GDPR came in, but prior to that as well. And a key source of information within the Framework was some of the toolkits that the ICO’s own audit teams use. This is to make sure there’s regulatory consistency between the ICO’s guidance and what their teams look at when they audit externally.
With the annual review, the ICO considered this at the start of the year and decided not to make any changes. There have been no fundamental changes to the ICO’s underpinning audit tool. And partly this is because the ICO has an eye on what’s happening over the next year or so, and wants to make sure they provide a degree of stability on the expectations they’re articulating.
Realistically, there may only be changes where there are obvious substantive reasons to do so. As it stands at the moment [29 November 2022], that’s not the case. And looking at the draft Bill, a wildly different approach for the Framework is unlikely: one still needs leadership, training, records, risk management, security etc.
Robert asked if there is scope to have the Accountability Framework approved as a standard for certification under GDPR. Chris noted that this is a really interesting topic with a number of different dimensions to it.
A good place to start is that, in common with European counterparts, the ICO’s interpretation of certification within GDPR is that it relates to product, service and process certification, as distinct from management systems certification. There might be some ability to bridge between management systems based certification and product service and process based certification and behind processes is a management system in any event.
Chris and Robert’s discussion on codes and certifications is well worth listening to if that’s an area of interest in your organisation!
First of all, Chris would say don”t be scared! Get stuck and pick it up, have a look at it. It’s there as a tool for people to use, adapt, and adopt.
Second, Chris would encourage it to be used internally in as transparent and as open away as possible, to be honest about the journey towards doing the very best Privacy Management practice.
Third, the ICO is always interested in adding case studies of how organisations have been using the Framework and there’s a section on the ICO’s website for these case studies. The ICO is always looking to get feedback and think about how they can develop it in the future.
The ICO is always open to hearing feedback on the Framework, positives and negatives, to take into consideration as they take the Framework forward. So do let them know! You can send your feedback to them on email@example.com.
Why not choose Keepabl as a way to create your instant Privacy Framework focused on GDPR? Our award-winning Privacy Management Software allows you to get up and running with ease, with simple data mapping, instant Article 30 Record creation and comprehensive Risk and Breach functionality for peace of mind. You can export KPIs, insights and reports on all of this at the click of a button so you can keep the Board and Auditors happy.
AND we’ve just integrated the UK ICO’s Accountability Framework into our solution so you get the benefit of the regulator’s gold-standard framework combines with all the benefits of SaaS to turbocharge your Privacy Management 🙂
Don’t just take our word for it! See how Keepabl helped renowned education publisher, Times Higher Education, improve their GDPR compliance.
Want to get going ASAP? Get your Keepabl demo. We’d love to speak with you to show how SaaS automation can improve your compliance.
The Privacy Stack Here at Keepabl, we often say that the Privacy sector, kickstarted into life by GDPR in 2018, is 30 years behind Security as a practice and industry. …