Find out about our audits and how to request one.
What is an audit?
An audit provides an assessment of whether your organisation is following good data protection practice. We believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective policies and procedures in place and whether you are following them and includes recommendations from the ICO on how to improve.
What are the benefits of an audit?
You benefit from the data protection knowledge and experience of our audit team, at no expense to your organisation. It is an opportunity for your staff to discuss relevant data protection issues with the members of the ICO’s audit team.
In 2017, 56 organisations who had been audited in 2015 and 2016 were surveyed to help establish whether the ICO was delivering an appropriate level of service and to identify areas for improvement to inform future development. The findings were overwhelmingly positive. The ICO achieved an overall satisfaction rating of 96%.
What areas does an audit normally cover?
An audit can include all or some of the principles of the Data Protection Act (DPA). Examples of areas which may be covered in an audit include:
- data protection governance, and the structures, policies and procedures to ensure DPA compliance;
- the processes for managing both electronic and manual records containing personal data;
- the processes for responding to any request for personal data, including requests by individuals for copies of their data (subject access requests) as well as those made by third parties, and sharing agreements;
- the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
- the provision and monitoring of staff data protection training and the awareness of data protection.
Where agreed with a public authority, the audit can include looking at handling requests made under the Freedom of Information Act. We agree a scope of work with you to make sure the audit is targeting the areas of most interest to both you and the ICO.
How does the ICO conduct an audit?
Following agreement of a scope of work, which is formally documented in a letter of engagement, we:
- carry out an off site check of policies and procedures;
- carry out an on site review of the procedures in practice;
- provide a report which outlines good practice and any areas of improvement with practical recommendations to help you to address these where appropriate;
- write an executive summary that we can publish on our website, with your consent; and
- carry out a follow up review approximately six months after the audit.
What happens to the reports?
Following completion of the audit, we provide a comprehensive report along with an executive summary. The audit report allows you to respond to observations and recommendations made by the audit team. With your agreement, we publish the executive summary on the ICO website. We will keep this information on our website for one year.
Who can request an audit?
Audits can be carried out at public and private companies, public authorities and government departments. We welcome requests for audits but we will focus on those areas we feel we will have the biggest impact.
The audit is an opportunity to get an independent view of your organisation’s data protection practices. It is most suited to larger organisations with an understanding of the basics of complying with the Act, where there are already some policies and procedures, but which may benefit from more focused assistance in meeting their obligations.
How long does an audit take?
Our aim is to complete an audit, from first meeting to issue of the final report, within 30 working days, normally including three days’ at your organisation.
How can I request one?
If you would like your organisation to be considered for a data protection audit, please register your interest.
What good practice and areas for improvement have you seen?
As we can only audit a limited number of organisations each year, we want to share our findings so others can learn from them. We have therefore published a number of reports detailing some of the good practice and areas for improvement we have seen.
The good practice activities we have listed are not necessary to ensure compliance. However, they are things we have observed that work well in practice and positively impact the organisation’s ability to comply with the legislation we are responsible for.
The reports are based on the sectors we have audited most regularly.
The reports will be updated over time, although the frequency of our updates will depend on the amount of audits we conduct in each sector. We will only update the reports when we are confident we can do so without identifying the organisations they relate to. We may also add reports relating to new sectors, depending on the nature of the data controllers we audit.
The reports can all be found on our audits, advisory visits and overview reports page.