Accountability is often referred to as the 7th principle and is one of the key changes to be brought about by the GDPR. It is the case that we will not only have to comply with the GDPR but be seen to comply - evidenced by our systems, policies, procedures and records.

The ICO may request and inspect any of these records at any point and a may deem that they are not sufficient to demonstrate our adherence to the accountancy principle. This in itself could lead to enforcement action by the ICO.

The ICO has produced some good guidance on the Accountability principle

Records of Processing

In order to comply with the recording requirement of the GDPR and to allow us to better manage all our information assets across the University (whether they contain personal data or not), we need to have in place a maintained 'Asset Register' which lists all our individual Information Assets and records such things as:

  • why we process this infomration
  • who it is about
  • how long we keep it
  • what our legal basis for processing is (if it is personal data)
  • how we classify it (in terms of 'public' or 'restricted' etc)
  • where the data comes from and where does it go (Data Flow Mapping)

Full guidance on Infomration Asset Registers and Data Flow Mapping can be accessed below


When we work with any external parties where we will share or transfer any personal data we will need to ensure that we have appropriate contractual arrangements in place to manage that transfer. The form and contents of the contracts (or contract clauses) will depend on the nature of the sharing activities and how each of the parties is defined (as either a data controller or a data processor)

To Do…

  • Identify where we are sharing data outside of the University
  • Identify the roles of the parties involved (Data Controller / Processor)
  • Ensure the correct contractual arrangements are in place before you start sharing

See guidance on Data Sharing and International Transfers

Data Protection Officer (DPO)

The GDPR requires the University to appoint a DPO and specifies the functions of the role as follows:

  • To inform and advise the organisation and the employees carrying out processing of their obligations under the GDPR and other EU or member state data protection provisions.
  • Monitoring compliance with the GDPR and other relevant laws, and with internal policies relating to data protection, including assigning responsibilities, awareness raising, staff training and data protection auditing.
  • Advising on data protection impact assessments and monitoring the performance of the assessments.
  • Co-operating with the ICO.
  • Acting as a contact point for the ICO on issues relating to processing, including prior consultation, and any other situations where consultation is appropriate.