In an October 28, 2019 blog post, Director for Regulatory Assurance, Ian Hulme, announced that the UK Information Commissioner’s Office (“ICO”) is developing a new ‘accountability toolkit’ which it plans to launch next year. The aim of the toolkit will be to support organisations in demonstrating their compliance with the ‘accountability principle’ under the GDPR[1]. It will enable organisations to understand the ICO’s expectations and to take responsibility for designing their own accountability programs. The ICO wants the toolkit to be ‘user-led’ and, as a result, it believes that gathering the views of organisations is essential.

The ICO seeks the views of a wide range of organisations in different sectors on matters such as their current practices relating to accountability and how the ICO could support them in the development of their own accountability programs.

Any thoughts on the development of the accountability toolkit can be provided on the ICO’s dedicated consultation page or provided by email to The consultation closes at 17:00 on 9 December 2019.

Mr. Hulme made it clear that compliance with the accountability obligation is about “putting data protection at the heart” of all personal data processing. It includes being “crystal clear” about data protection responsibilities throughout the organisation, data protection being a “boardroom issue” and not just the responsibility of the Data Protection Officer, managing risk pro-actively and being transparent to people about the processing of their personal data. He recognised that many organisations are working hard to get this right and stated that the ICO is keen to support those efforts, in light of the substantial work and culture change that can be required.

The consultation page lists a number of measures which the ICO says could enable organisations to demonstrate their compliance with the accountability principle, including implementing data protection policies, taking a data protection by design and default approach, reporting data breaches where required and carrying out data protection impact assessments.

Please contact our Data Privacy & Cybersecurity team members for assistance with GDPR compliance, including putting in place measures to fulfil your organisation’s accountability obligation.

[1] This is a specific obligation under Article 5(2) of the GDPR (EU General Data Protection Regulation 2016/679)