In England, the Information Commissioner's Office (ICO, the English Autoriteit Persoonsgegevens) has announced its accountability framework. This framework is very useful because it makes clear what it means in the context of accountability to "comply with the AVG" in a way that the authority describes as "sufficient."
On the basis of a brief explanation and a number of questions, the reader himself can score the extent to which the requirements are met from the perspective of an audit by the authority. Thus, this can also begin to serve as a guide for audits by independent companies such as, for example, classification societies and accounting firms.
For example, in the area of "use of management information," the ICO provides clear expectations to clarify how the English AP's demand can be adequately met:
All relevant management information and the outcomes of monitoring and review activity are communicated to relevant internal stakeholders, including senior management as appropriate. This information informs discussions and actions.
Ways to meet our expectations:
You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.
The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.
Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.
Can you answer yes to the following questions?
Could you give examples of information flowing between operational levels and senior management?
Are staff given appropriate information?
Do they understand it and are the actions taken clear?
For more information on the UK AP's accountability framework click here
