Case studies
Our Data Protection Audit Framework provides a number of examples of the different ways you can demonstrate your compliance with data protection law. To help you even further, we’ve worked with organisations to capture real-world examples and case studies of different approaches.
The case studies below focus on our Accountability toolkit and look at different approaches to accountability.
We intend to expand these case studies to cover the other toolkits in the framework at a later date.
- Leadership and Oversight
- Policies and Procedures
- Training and Awareness
- Transparency
- Records of processing and lawful basis
- Risks and DPIAs
- Records management and security
Leadership and Oversight
Organisation: Macmillan Cancer Support
Role: Information governance and security
Accountability challenge: Roles and responsibilities
Macmillan’s purpose is to help people affected by cancer. Our staff are aware that an important part of this is to respect their privacy, freedoms, and preferences.
We built the Keeping Data Safe (KDS) framework as part of our information security management system (ISO 27001:2013) to minimise data protection risk. We put in place a clearly-defined accountability programme that protects the personal data we collect. It also ensures we use the data appropriately. Our framework creates accountability by establishing clear roles and responsibilities using the following three groups:
- Keeping Data Safe groups
Each directorate has a group which data owners, data managers and data protection leads attend. Each KDS group also has representation from Information Governance, Information Security, and Risk and Compliance. The group’s aim to review locally how we work with each other, our partners, and our customers. This supports Macmillan’s operational and strategic data protection and information security requirements at the directorate level.
- Information governance group (IGG)
The IGG has operational responsibility with oversight and management over all information governance and information security plans and their delivery across Macmillan. The IGG aims to ensure that Macmillan effectively manages any risks or issues, including ones that the KDS groups identify. This ensures that all operational functions are efficient and in line with Macmillan policies, procedures, legal obligations and best practice requirements.
- Information governance board (IGB)
The IGB has strategic responsibility. It provides governance, decision-making and oversight of all information governance plans and activities within Macmillan. The IGB allocates proper resource to these activities and can initiate projects with budget allocation. The IGB reports to the Performance and Risk Board, and has access to Macmillan’s senior leadership. This makes sure that senior staff understand data protection and information security risks and can add momentum to decision making.
How have these groups worked for us?
These groups allow for upward and downward communication regarding information risk between the Keeping Data Safe groups, IGG and IGB. For example, we use these groups to communicate other accountability measures, such as our DPIA process and the integration with Microsoft Forms. We implemented our updated DPIA process in a short time frame, since the KDS groups meet every six weeks. All directorates across Macmillan have successfully adopted the new process. Communicating this new process through the KDS groups brought consistency in approach, application, and training, as all groups received the same messaging. The DPIA process has benefited from the KDS groups, as the groups provide a space where we can learn about impending projects coming through the DPIA process.
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Leadership and oversight
Before implementing the Accountability Framework, we had difficulty involving the Senior Responsible Owners (SROs) directly. They were typically more senior than our data protection managers. Data protection managers found it difficult to attain the necessary momentum to implement data protection measures.
Using the Accountability Framework enabled us to make a hierarchical structure that works. We’ve explained to the SROs that they ‘own’ the residual data protection risk. We use the framework to highlight areas that need attention. This helped our SROs make informed decisions about resourcing when considering requirements from other business areas. This hierarchical structure with clear involvement from the SROs increased the number of colleagues with direct, reportable responsibility for data protection. It also provided an escalation route for me as the DPO.
Policies and Procedures
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Policies and procedures
The Accountability Framework gave us the idea to add an ownership column to our policies. This created a more robust process for creating and reviewing policies. The ownership column allowed us to develop a two-tier approach. In this approach, senior roles govern common business areas (eg security and finance) and we assign junior colleagues more specific tasks.
We also used the steps in the Accountability Framework to develop a better system for identifying where policies need improving. It also allows us to act efficiently by developing policies jointly across business areas or by having areas sign up to pre-existing policies.
Organisation: Newry Mourne and Down District Council
Accountability challenge: Policies and procedures
The UK GDPR coming into force gave us an opportunity to really ‘take stock’ of how we do data protection across our council. We planned a programme of work to improve our policies, procedures and training.
To help us to focus on what we needed to do, we started by conducting an audit. From this, we created short, medium and long term targets, which we aligned with the ICO’s accountability framework.
Our audit included reviewing existing relevant policies and procedures and making improvements to link them together. For example, we created:
- an information strategy group with an overall vision aligned with the data principles;
- a new process to investigate breach reports; and
- a new retention and disposal schedule incorporating the ICO’s records management retention schedule guidance.
Organisation: The Office of Intercollegiate Services (OIS), University of Cambridge
The Office of Intercollegiate Services (OIS) was created by the 31 Colleges in the University of Cambridge to support their common activities and interests. Each College is a legal entity and registered data controller in its own right, and each is separate from the University.
Role: Data protection officer
Accountability challenge: Consistent compliance reviews
In my role, I advise and support the colleges, each with their own operational and governance structures. It is challenging to help them review their data protection compliance consistently.
Over the years, I tried different approaches, including a granular self-assessment that was not widely used. I revised this in 2020 and created a new ‘toolkit’, using broader statements from the ICO’s online self-assessment. This was flexible enough for each college to take account of their own unique circumstances. For example, each college could describe their individual governance structure and the data protection impact assessments they carried out.
Crucially, I also explained the regulatory and business benefits of completing the compliance review. This increased engagement substantially, to an unprecedented 80% response rate.
I reviewed each college’s submission and produced individual summary reports. The reports included recommendations to help them improve and an overall accountability assurance rating.
Many of the colleges submitted the report to their governing bodies for formal approval. This allowed local data protection champions at the colleges to obtain the resources they needed to address any gaps identified through action plans. I could also now benchmark their compliance and track progress.
More recently, I adapted the ICO’s accountability framework tracker for my in-house toolkit. The dashboard is particularly useful for management reporting.
While the colleges already had some excellent practices in place, they are now in a better position. They can demonstrate their accountability, and their commitment to continuous improvement, in a clear and consistent way.
Training and Awareness
Organisation: Department for Work and Pensions (DWP)
Role: Data Protection Officer
Accountability challenge: Advanced training
Staff from both the fraud teams and the wider DWP need to understand and apply the correct data protection regime . We wanted to have the correct training measures in place, such as guidance, so that our staff could identify which regime applied to their specific processing activities. To address this, we developed a tool which explained the practical implications of the differences between the two regimes. It also gave the criteria for determining which one applies.
A good deal of thought and preparation went into the development and delivery of the product. We wanted to make it practical and easy to understand so colleagues without a deep data protection knowledge could use it. We used the ICO guidance for the technical content and worked with business colleagues to tailor the material to the audience.
We showcased the new tool to over 900 staff and feedback was extremely positive. We gained feedback at the end of each presentation through the Microsoft Teams chat facility and also by issuing a feedback form. A large majority of attendees felt that the awareness sessions improved both their knowledge and overall confidence.
This work also led to further improvements to our guidance and products. We updated our guidance to clearly define the different regimes that could apply to DWP’s processing activities. We also identified additional products that needed further clarification. We have subsequently updated several products, including draft customer letters from within the Counter Fraud and Compliance Division and the right of access request internal guidance.
Organisation: Information Commissioner’s Office (ICO)
Role: Group Manager, Information Management and Compliance
Accountability challenge: Communicating across different departments
I’m responsible for making sure that the ICO itself complies with the accountability principle. It is easy to forget that, as well as a regulator, the ICO is also a controller of personal data!
Despite my initial uncertainty, in reality, the accountability principle wasn’t so mysterious. I simply focused on the two key elements: to make sure that we have appropriate measures in place and that we can demonstrate what we do.
The ICO already had processes and teams in place to support accountability. However, the Accountability Framework presented a great opportunity to review our practices and think about where we might improve.
The Framework’s suite of tools made my job much easier, enabling me to identify priority areas and take steps to address them. Although it took time to complete this review, consulting with different departments, it was well worth the effort to get the results.
For example, to improve our cross-office engagement, we:
- supported and followed up with departments about their processing. This helped us to get timely information about our processing and to put in place the necessary foundations for our accountability review;
- put in place a clear, easy to use process for updating and signing off our privacy notice. This helps us be clear about responsibilities and to keep track of updates;
- reviewed our systems and considered how we would demonstrate our accountability. We used a communications plan to highlight at the right time, to the right people, what information they needed to store and where; and
- established a community of local information management officers who meet regularly. We use this feedback to make our processes easier for staff to understand and use.
Organisation: Newry Mourne and Down District Council
Accountability challenge: Training
The UK GDPR coming into force gave us an opportunity to really ‘take stock’ of how we do data protection across our council. We planned a programme of work to improve our policies, procedures and training.
We used the ICO’s training materials to give all staff and councillors face-to-face training and we also developed e-learning modules. We engage with external organisations and reflect on our experiences to help us continually improve. By adapting the ICO’s training materials rather than creating our own, we saved resources and money.
Transparency
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Transparency
The Accountability Framework encouraged us to review the layout of our privacy notices and evaluate how our organisation interacts with our personal information charter. As a result, we are seeing an increase in staff members using our privacy notice. The data protection team are also using it as a reference point and guide when engaging with colleagues in other business areas.
Records of processing and lawful basis
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Record of Processing Activities (ROPA) and lawful basis
Implementing the Accountability Framework highlighted that we were using different methods to complete the ROPA across our organisation. This meant we did not complete areas of the ROPA in line with best practice, and created inefficiencies. We developed a ‘house style’ of ROPA template that introduces more uniformity and makes it easier to produce training material and workshops on ROPA requirements. The uniformity allows us to embed a ‘DEFRA style’ approach to data protection. We use this to create communities of colleagues with common responsibilities. These communities are cost-effective for developing technical solutions to the assets they manage.
Risks and DPIAs
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Risks and DPIAs
We previously used several different versions of the DPIA template. This created confusion when colleagues completed different templates. In particular, it was inefficient to review different templates and bring them all to the same standard. It was also difficult to provide training on how to complete a DPIA. The Accountability Framework helped us to demonstrate to the organisation the benefits of developing a single DPIA template, which we implemented. We used this template to create a self-service system, improving efficiency. In particular, colleagues now find it easier to familiarise themselves with our DPIA guidance and single DPIA template. As a result, we can see an improvement in the standard of DPIA completion. Staff find it easier to complete DPIAs without seeking advice from data protection colleagues.
DPIA completion is important as it helps to improve understanding of policies and projects. It also provides an opportunity for our data protection community to link up with policy colleagues in other areas of the business and share experiences.
Organisation: Macmillan Cancer Support
Role: Information governance and security
Accountability challenge: Risk management
Macmillan’s purpose is to help people affected by cancer. Our staff are aware that an important part of this is to respect their privacy, freedoms, and preferences.
We built the Keeping Data Safe (KDS) framework as part of our information security management system (ISO 27001:2013) to minimise data protection risk. We put in place a clearly-defined accountability programme that protects the personal data we collect. It also ensures we use the data appropriately.
We used our Keeping Data Safe accountability framework to introduce standardised and measurable definitions of information risks. For example, terms like ‘impact’ and ‘likelihood’ have a set of defined criteria, which makes them easier to apply. This helped us to remove subjectivity in risk assessments, creating consistency across the directorates. This consistency helps us to identify high priority risks and allocate our resources accordingly. This also helps our organisation’s risk monitoring activities, as we can create actions and controls that are relevant and measurable now that we have clearly defined our information risks.
Records management and security
Organisation: His Majesty’s Revenue and Customs (HMRC)
Role: Data protection officer
Accountability challenge: Records management and security
We carried out a comprehensive Risk Discovery Programme within HMRC using the Accountability Framework and split category 9 of ‘Records management and security’ into two to bring greater focus to each topic. We separated categories 9.2, 9.7, 9.8, 9.10, 9.11 and 9.12 into a separate security topic.
We worked with business risk co-ordinators in all ten of our business groups to identify data protection risks using the topic-based approach. We delivered workshops based on ‘what good looks like’ from the Accountability Framework. This prompted effective conversations around how we are already meeting expectations in some areas and where we could improve compliance in others.
We engaged with central Security & Information Business Partner teams and other teams responsible for the creation of enterprise-wide policies to determine how many records management and security improvements could be delivered centrally.
Having completed the Risk Discovery Programme, we have identified the need to coordinate risk articulation and control design due to similar themes existing across business groups. We intend to continue using the ICO’s Accountability Framework to review progress over the coming months.
Tell us what you think
The Assurance department value your views and the feedback we receive will help us to continue to improve and develop our framework.
The following survey should take no more than 10 minutes to complete.