Audit
We help organisations to improve their data protection practices and their compliance with the laws we regulate. We achieve this by:
-
-
- undertaking audits and assessments of organisations’ compliance with data protection legislation; and
- undertaking technical security audits and assessments in relation to the Investigatory Powers Act and the Network and Information Systems Regulations.
-
Our audits can be carried out consensually or, where appropriate, under an assessment notice.
We have a busy programme of work and provide expert advice to a wide variety of organisations from councils, NHS bodies, police forces and large Government departments to charities, finance companies and some of the biggest names in business. We review each organisation's policies and procedures, interview staff, observe practices, collect evidence, and undertake sampling and testing to allow us to review and assess how data is managed in practice. Once the audit is complete, we write a comprehensive report that identifies areas where the organisation can improve practices and make recommendations about how those improvements can be achieved. A summary of the report is then published on the ICO website for all to see. We also produce outcomes reports to share themes and trends identified in our audits with a wider audience.
International Transfers
We approve transfer mechanisms under article 46 of the UK GDPR and update our guidance as necessary. The team is responsible for reviewing UK BCR documentation and making recommendations to the Commissioner for formal UK BCR approvals.
The team also support the Department for Digital, Culture, Media and Sport, who help the Secretary of State make adequacy regulations for third countries receiving international transfers from the UK.
The team is responsible for approving administrative arrangements and managing and monitoring international transfer notifications received from competent authorities in line with sections 75-77 Data Protection Act 2018.
Supervision
We help organisations improve their data protection practices and their compliance with the laws that we regulate. We do this by:
- publishing guidance products for organisations on how to comply with the law;
- supporting the development and assessment of UK GDPR Codes of Conduct and Certification Schemes; and
- coordinating our work to regulate the UK eIDAS regulation.
Our guidance can take many forms – including in brief guidance, detailed technical guidance, and products and templates aimed at helping organisations comply with the law.
We created the award-winning ICO Accountability Framework and are responsible for producing guidance in areas such as research, employment issues, and our statutory code of practice on journalism.
Our work supporting UK GDPR Codes of Conduct and Certification Schemes involves providing support to external organisations looking to establish these powerful mechanisms, and running formal ICO processes to consider their adoption. Recent examples include, formal approval of certification schemes in the area of age assurance, age appropriate design and asset disposal.
Our work on eIDAS covers everything necessary to supervise this regulation - including considering the future policy direction, responding to applications from Trust Services for qualified services, and considering how to respond to regulatory developments, issues and complaints, or potential breaches raised with us.