The ICO exists to empower you through information.

What is an audit?

An audit provides an assessment of whether your organisation is following good data protection practice. We believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective controls in place alongside fit for purpose policies and procedures to support your data protection obligations. We check if you are following data protection legislation as it applies to your organisation and the resulting report makes recommendations on how to improve.

Who can request an audit?

Audits can be carried out at public and private companies, public authorities and government departments. The Information Commissioner has adopted a risk-based, proportionate and targeted approach to audit activities and follows a by-exception approach to reporting. We welcome requests for audits but we will focus on those areas we feel we will have the biggest impact and organisations who would benefit the most from an independent assessment of their compliance with data protection legislation.

The audit is an opportunity to get an independent view of your organisation’s data protection practices. It is most suited to organisations with an understanding of the basics of complying with the data protection legislation, where there are already some policies and procedures, but which may benefit from more focused assistance in meeting their obligations. Smaller organisations, who do not meet this criteria, may find our resources on our dedicated SME website hub provides some useful advice to help get data protection right.

What are the benefits of an audit?

You benefit from the data protection knowledge and experience of our audit team, at no expense to your organisation. It is an opportunity for your staff to discuss relevant data protection issues with the members of the ICO’s audit team. 

We recently commissioned an independent survey to help us improve the audit process. You can find out what some of our customers had to say about their audit experience in our summary of the report.

What areas does an audit normally cover?

An audit can include all or some of the principles within data protection and privacy legislation as well as FOI or PECR.

Examples of areas which may be covered in an audit include:

  • data protection governance, and the structures, policies and procedures to ensure compliance with data protection legislation;
  • the processes for managing both electronic and manual records containing personal data;
  • the processes for responding to any request for personal data, including requests by individuals for copies of their data as well as those made by third parties, and sharing agreements;
  • the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
  • the provision and monitoring of staff data protection training and the awareness of data protection requirements. 

Where agreed with a public authority, the audit can include looking at handling requests made under the Freedom of Information Act. We agree a scope of work with you to make sure the audit is targeting the areas of most interest to both you and the ICO.

How does the ICO conduct an audit?

Following agreement of a scope of work, which is formally documented in a letter of engagement, we:

  • carry out a check of policies and procedures;
  • carry out tests and interviews with key personnel;
  • review data relating to KPI’s and management of data protection activities;
  • carry out a review of the procedures in practice;
  • provide a report which outlines good practice and any areas of improvement with practical recommendations to help you to address these where appropriate;
  • write an executive summary that we can publish on our website; and
  • carry out a follow up review approximately six months after the audit.

What happens to the reports?

Following completion of the audit, we provide a comprehensive report along with an executive summary. The audit report focuses on risk and makes observations and recommendations by priority. Finally, we publish the executive summary on the ICO website and we will keep this information on our website for one year.

Assurance ratings

Each audit scope area audited will be rated as per the below table

Colour code

 

Internal audit opinion

Definitions

 

 

High assurance

There is a high level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified only limited scope for improvement in existing arrangements and as such it is not anticipated that significant further action is required to reduce the risk of non-compliance with data protection legislation.

 

 

Reasonable assurance

There is a reasonable level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified some scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

 

 

 

Limited assurance

There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

 

 

 

Very limited assurance

There is a very limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment.

How long does an audit take?

Each audit is unique and the audit timescales are dependent on the size, scope and requirements of each organisation. However, in general we do preparatory work some weeks ahead of the audit and then our aim is to complete our work and to issue the final report within 30 working days.

How can I request one?

If you would like your organisation to be considered for a data protection audit, please register your interest.

For information about what we do with personal data see our privacy notice.