Are you going to be audited by the ICO?

Share This Post

Article 58 of the GDPR gives data protection authorities (the national data protection regulators – ours is the Information Commissioner’s Office (ICO)) the power to carry out investigations in the form of compulsory data protection audits. The idea is that such audits enable the regulator to assess an organisation’s data and privacy compliance.

What’s the likelihood that these data protection audit powers will be exercised?

Well, there is already evidence that these audit powers are being used:

The ICO and data compliance audits in the UK

The ICO does indeed have these powers to conduct audits and they do exercise them and indeed have done so for some time. The truth of the matter though is that the ICO generally don’t conduct compulsory audits, preferring to conduct consensual audits – they make this clear in their guide to ICO audits. In this document they set out how they conduct audits, their outputs and expectations of the audit process.

But essentially an audit may come about in a number of ways:

  • A compulsory audit is enforced against an organisation using an “assessment notice” – this is what’s happened with the Leave.EU/Eldon case
  • An organisation volunteers itself for a free ICO audit
  • The ICO carry out a voluntary review of a particular sector – like they did in April 2018 with some charities
  • You’re invited to take part in a “consensual” audit – i.e. you are asked to participate in an audit but it’s not enforced

Should we be volunteering for an ICO audit?

This really depends on what you want to achieve. A consensual audit is unlikely to lead to enforcement action, but the ICO does reserve the right to take action if you were found to be significantly in breach of the regulations. However, depending on the findings you will be expected to take action against what they report as areas for improvement, and you will be expected to demonstrate that as part of an audit follow up.

There is a downside though. A summary report of the findings of their audit are likely to be published so your compliance could be in the public domain.

If you’re looking for a comprehensive audit from the regulator themselves which is FREE and you’re happy that you could be found to be non-compliant by the regulator and are happy that the results may be published, then volunteering is probably a good way to make sure you are compliant.

Personally though, we think you’d be better off spending a bit of money using a consultant (like us) or making use of our audit tools to get an independent, less formal, audit report which you can action yourself, than perhaps alert the ICO to your non-compliance.

Of course if you receive an assessment notice then you have no choice.

Can we audit ourselves?

Yes you can. Indeed auditing or reviewing your compliance on a regular basis is encouraged by the accountability principle. Carrying out an audit would demonstrate that you believe you’re still compliant and provide you with a document to demonstrate all the checks and balances across your organisation.

The Digital Compliance Hub provides tools to help you with this, whether reviewing for the first time, preparing your compliance for the first time or considering a refresh. Plus we can via our support service help you every step of the way.

So, should we be worried about being audited?

There is currently a chance the ICO could chose to audit you. If you’re particularly non-compliant and are being investigated then this could always be a possibility. You may randomly, or as part of a wider sector-based project be asked to participate in an audit, but generally speaking it’s probably unlikely you will be audited, but there is no guarantee that you never will.

But if you’re not compliant and have done nothing to meet the data protection regulatory requirements then we think you should be worried – because if you were randomly selected for a consensual audit, you’re going to find yourself being caught out.

Of course, there is no guarantee that the ICO’s current approach (mainly consensual audits) won’t change. Something may happen which requires the ICO to take a much more compulsory stance on audits, particularly if more and more EU member state’s regulators do start spot-checking more or should it become an outcome or requirement of any UK-EU deal on data protection in a post-Brexit world.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy