ICO blog: Data protection audits and advisory visits

In the last couple of years, there have been some big changes in the way that we deliver our data protection audit programme. We have been busy trying to encourage businesses and public authorities to see the benefits of having an audit and we have expanded our team to make sure we can meet demand.

Despite the audits being free, and even though we have made a commitment to not issue any monetary penalties if we do find any big problems, it can still be an uphill struggle to get organisations to see the benefits.


To help tackle these problems, we have focused on making sure we are clear on what an audit involves, by publishing our guide to data protection audits and summaries of audit reports. We have proactively approached organisations to ask them to agree to an audit, and where the evidence has supported it, we have asked to extend our compulsory audit powers.

We have also implemented a risk based approach to our work, to help us prioritise who we audit and when. This means we are now working with some of the biggest public and private organisations to help them keep personal data secure and this has provided exciting opportunities for the team to share good practice across a range of businesses and public bodies. We publish summaries of our audit reports on our website.

However, we have recognised that ‘one size doesn’t fit all’. The audits are very helpful to larger organisations who already have the basics in place, understand their obligations but need some help in making sure they are doing all that they can. This leaves a lot of small and medium sized organisations who would really benefit from our help but for whom an in depth audit might be too detailed.

Advisory visits

To help with this, we have started a programme of advisory visits to help these organisations to learn how to get data protection right. This involves a one day visit from a member of our good practice team to see what they do with data and how they do it. The aim is to help small businesses, charities and smaller public authorities who may be struggling to understand what they need to do about data protection and need some basic, practical advice. They aren’t as detailed as an audit, but instead focus on general advice and recommendations.

The visits are aimed at small and medium sized organisations that are processing significant volumes of personal information, or sensitive personal data. These might include charities working with vulnerable people, local housing associations, smaller health practices or colleges and education providers.

During the visits we identify what organisations are doing well and what they need to improve and provide practical recommendations and suggestions to put things right. On the day, we focus on areas such as security, records management and requests for personal data and the visits are also flexible enough to provide an opportunity to ask us questions.

They are free, and at the end the team produce a short report which summarises what to do next. We publish summaries of these reports on our website.

Get involved

By the end of 2012 I expect our good practice team will offer a range of services that suit the different types and sizes of organisations we work with – from small business and local charities through to large, multinational companies and household names. That way, we should be able to say that we are helping to share good practice and meet our vision to be responsive and outward-looking in our approach.

If you’d like to get in touch, please email us at audit@ico.gsi.gov.uk or advisory@ico.gsi.gov.uk.

Louise ByersLouise Byers has responsibility for the delivery of a programme of audits and advisory work aimed at educating and assisting organisations to meet their data protection obligations. She is also responsible for conducting audits using the Assessment Notice powers.
This entry was posted in Louise Byers and tagged , , . Bookmark the permalink.