Find out about our audits and our advisory visits and how to request one.

What is an audit?

An audit provides an assessment of whether your organisation is following good data protection practice. We believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective controls in place alongside fit for purpose policies and procedures to support your data protection obligations. We check if you are following data protection legislation as it applies to your organisation and the resulting report makes recommendations on how to improve.

What are the benefits of an audit?

You benefit from the data protection knowledge and experience of our audit team, at no expense to your organisation. It is an opportunity for your staff to discuss relevant data protection issues with the members of the ICO’s audit team. 

We recently commissioned an independent survey to help us improve the audit process. You can find out what some of our customers had to say about their audit experience in our summary of the report.

What areas does an audit normally cover?

An audit can include all or some of the principles within data protection and privacy legislation General Data Protection Act (GDPR) as well as FOI or PECR.

Examples of areas which may be covered in an audit include:

  • data protection governance, and the structures, policies and procedures to ensure compliance with data protection legislation;
  • the processes for managing both electronic and manual records containing personal data;
  • the processes for responding to any request for personal data, including requests by individuals for copies of their data as well as those made by third parties, and sharing agreements;
  • the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
  • the provision and monitoring of staff data protection training and the awareness of data protection requirements. 

Where agreed with a public authority, the audit can include looking at handling requests made under the Freedom of Information Act. We agree a scope of work with you to make sure the audit is targeting the areas of most interest to both you and the ICO.

How does the ICO conduct an audit?

Following agreement of a scope of work, which is formally documented in a letter of engagement, we:

  • carry out an off site check of policies and procedures;
  • carry out off site tests and interviews with key personnel;
  • review data relating to KPI’s and management of data protection activities;
  • carry out an on site review of the procedures in practice;
  • provide a report which outlines good practice and any areas of improvement with practical recommendations to help you to address these where appropriate;
  • write an executive summary that we can publish on our website; and
  • carry out a follow up review approximately six months after the audit.

What happens to the reports?

Following completion of the audit, we provide a comprehensive report along with an executive summary. The audit report focuses on risk and makes observations and recommendations by priority. Finally, we publish the executive summary on the ICO website and we will keep this information on our website for one year.

Assurance ratings

Each audit scope area audited will be rated as per the below table

Colour code

 

Internal audit opinion

Definitions

 

 

High assurance

There is a high level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified only limited scope for improvement in existing arrangements and as such it is not anticipated that significant further action is required to reduce the risk of non-compliance with data protection legislation.

 

 

Reasonable assurance

There is a reasonable level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified some scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

 

 

 

Limited assurance

There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with data protection legislation.

 

 

 

Very limited assurance

There is a very limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified a substantial risk that the objective of data protection compliance will not be achieved. Immediate action is required to improve the control environment.

Who can request an audit?

Audits can be carried out at public and private companies, public authorities and government departments. We welcome requests for audits but we will focus on those areas we feel we will have the biggest impact.

The audit is an opportunity to get an independent view of your organisation’s data protection practices. It is most suited to larger organisations with an understanding of the basics of complying with the data protection legislation, where there are already some policies and procedures, but which may benefit from more focused assistance in meeting their obligations.

How long does an audit take?

Each audit is unique and the audit timescales are dependent on the size, scope and requirements of each organisation. However, in general we do preparatory work some weeks ahead of the audit and then our aim is to complete from on-site to the issue of the final report within 30 working days. This includes an onsite element of no more than three days.

How can I request one?

If you would like your organisation to be considered for a data protection audit, please register your interest.

For information about what we do with personal data see our privacy notice.

 


 What is an advisory visit?

The aim of an advisory visit is to give practical advice to organisations on how to improve data protection practice. It normally involves a one day visit from the ICO and a short follow up report.

What are the benefits of an advisory visit?

You will benefit from our knowledge and experience to identify what you are doing well and what you need to improve and receive practical recommendations and suggestions to put things right. There is no expense to your organisation and you get a short report at the end which summarises what you should do next.

How does the ICO conduct an advisory visit?

We will give you an information sheet before the visit to explain what you can expect. We will also ask you to fill out a questionnaire which we will review with you during our visit. We will discuss which members of staff it would be useful for us to speak to and agree a simple schedule for the day.

We will use the one day visit to understand what policies and procedures you have in place and how they can be improved. The visit will also be flexible enough to provide an opportunity for your staff to ask questions.

Within five days of the visit, we will send you a short report which will summarise what we have seen and discussed, and provide you with practical advice.

What areas does an advisory visit normally cover?

There are three main areas that we will look at:

  • Security of personal data  we will review how you keep electronic and manual personal data secure.
  • Records management – we will review how you process records containing personal data including their creation, maintenance, and eventual destruction.
  • Requests for personal data – we will review how you handle individuals’ requests for copies of their personal data and how you manage routine and one off disclosures to other organisations.

What happens to the reports?

We will publish on our website that we have conducted an advisory visit with you and keep this information on our website for one year. We do this to show which types of organisations we are helping.

Who can request an advisory visit?

Advisory visits are aimed at small to medium sized businesses, charities and not for profit organisations. We are happy to work with organisations in the public and private sectors and will prioritise those that will benefit most from a visit. Unfortunately, due to our limited resources, we are not in a position to offer an Advisory visit to all organisations that apply for one.

How long does an advisory visit take?

You will need to complete a short questionnaire before our site visit and we will spend up to a day on site with you. We will send you the short report within five days of the visit.

How can I apply?

Please click here to start the application process.

For information about what we do with personal data see our privacy notice.

What good practice and areas for improvement can I learn from?

We have published some reports that summarise areas of good practice and areas for improvement we have seen across a number of organisations within particular sectors.

The good practice activities listed in the reports are not necessary to ensure compliance. However, they are things we have observed that work well in practice and positively impact the organisation’s ability to comply with the legislation we are responsible for.

These reports are put together for the sectors we have visited most:


We intend to publish more summary reports in the future.