The Information Commissioner, who is responsible for enforcing and promoting compliance with the General Data Protection Regulation 2018 (the GDPR), has identified audit as having a key role to play in educating and assisting organisations to meet their obligations. As such, the Information Commissioner’s Office (ICO) undertakes a programme of consensual and compulsory audits across the public and private sector to assess their processing of personal information and to provide practical advice and recommendations to improve the way organisations deal with information rights issues.
Article 58.1(b) of the GDPR contains a provision giving the Information Commissioner the power to carry out investigations in the form of compulsory data protection audits, but we predominantly conduct
consensual audits. These audits are completed by our Assurance department.
Audit allows us to assess any organisation’s processing of personal data for the following of good practice. This includes, but is not limited to, compliance with the requirements of the GDPR and may also include Freedom of Information rights. The executive summary for each audit is published on our website which shows the high level findings and assurance ratings for the scope areas audited.
The benefits of an audit include:
- helping to raise awareness of data protection, general information security and cyber security;
- showing an organisation’s commitment to, and recognition of, the importance of data protection and individual rights;
- the opportunity to access ICO’s resources at no expense;
- independent assurance of data protection policies and practices;
- identification of data protection risks and practical, pragmatic,
- organisational specific recommendations to address them; and
- the sharing of knowledge with trained, experienced, qualified staff and an improved working relationship with the ICO.
The focus of an audit is to determine whether the organisation has implemented policies and procedures to regulate the processing of personal data and whether that processing is carried out in accordance with such policies and procedures. When an organisation complies with its data protection requirements, it is effectively identifying and controlling risks to prevent personal data breaches.
An audit will typically assess the organisation’s procedures, systems, records and activities in order to:
- Ensure that appropriate policies and procedures are in place;
- Verify that those policies and procedures are being followed;
- Test the adequacy of controls in place;
- Detect breaches or potential breaches of compliance; and
- Recommend any required changes in control, policy and procedure.
The scope areas to be covered during the audit will be agreed, in consultation with the organisation, prior to the audit. The scope may take into account any data protection issues or risks which are specific to the
organisation, identified from ICO intelligence or the organisations own concerns, and/or any data protection issues or risks which affect their specific sector or organisations more widely.
The ICO will make recommendations to assist organisations to mitigate the risks of non-compliance, and reduce the likelihood of damage and distress to individuals and regulatory action being taken against the organisation for a breach of data protection legislation.
Following completion of the audit the Assurance team will provide a report that gives an assurance rating for each scope area covered; observations and findings that focus on the areas of weakness and greatest risk or areas of particularly good practice that have been identified; and priority rated recommendations to address the weaknesses and risks. We will also provide an executive summary of the report.
The audit process provides an opportunity for the organisation to respond to observations and
recommendations made by the audit as the action plan is drafted. An executive summary of the final report is published on the ICO website.
Whilst we predominantly conduct consensual audits, the ICO also has the power to conduct compulsory audits, under article 58.1.b of the GDPR. This right extends to any public or private organisation and in the form of a compulsory ‘assessment notice’ to evaluate their compliance with the data protection principles.