Data protection audit framework

This framework will help you assess your own compliance with some of the key requirements under data protection law. It covers a range of areas that we look at when we assess an organisation’s data protection compliance using our audit toolkits to conduct both consensual and compulsory audits. 

If you follow the approach suggested in the framework, it does not guarantee that your processing meets all the legal requirements that apply to you. You need to consider the specific circumstances of your organisation and what you are doing with personal information in order to manage the risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures you should put in place.

This framework is an extension of our existing Accountability Framework.  

Who can use the framework?

The framework is designed to assist you if you already have some familiarity with the legal framework and are responsible for making sure your organisation complies with data protection law. You could be senior management, the data protection officer, an internal compliance auditor or have records management or information security responsibilities. 

The framework is suitable for large businesses and organisations in the public, private and third sectors. It is not directly applicable to:

• small businesses and organisations, who should use the resources on our web hub, such as the self-assessment toolkit; or
• organisations processing personal information subject to Part 4 of the DPA 2018.

How do you use the framework? 

The framework provides a useful starting point for you to assess and audit your privacy management. It is important to note it is not exhaustive and you need to comply with all aspects of data protection law that apply to you. Compliance is not about ticking boxes and you need to exercise your own judgement and use other relevant guidance and materials, including our guidance.

You may decide to use the framework in different ways, for example:

• use it as a basis for creating a privacy management programme;
• audit your existing practices against the ICO’s expectations;
• consider whether you could improve existing practices, perhaps in specific areas;
• record, track and report on progress; or
• increase senior management engagement and privacy awareness across your organisation.

The framework focusses on nine distinct toolkits that we are likely to look at during an audit. 

Each toolkit consists of:

• Some of our audit “control measures”. These are examples of measures that you should have in place to manage identified risks and ensure you are effectively complying with data protection law. While there are some measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.
• A list of ways in which you can meet our expectations in relation to each of the “control measures”. The toolkit lists the most likely ways to meet ICO expectations, but they are not exhaustive. You may meet our expectations in slightly different or unique ways. 
• Additional options to consider based on examples of good practice we’ve seen during our audits.

We suggest you start with the Accountability toolkit (formerly the Accountability framework) to assess your organisation’s accountability measures. This tookit supports the foundations of an effective privacy management programme. The other eight toolkits take a more in depth look into specific areas of data protection law and will allow you to audit your compliance in more detail.

To further help you audit, report and improve your data protection compliance, you can use our data protection audit trackers. The trackers are a downloadable version of each toolkit and they will help you conduct your own assessment of compliance, tracking actions you plan to take in areas needing improvement.

View the data protection audit framework toolkits