Article 58 of the GDPR gives data protection authorities (the national data protection regulators – ours is the Information Commissioner’s Office (ICO)) the power to carry out investigations in the form of compulsory data protection audits. The idea is that such audits enable the regulator to assess an organisation’s data and privacy compliance.
What’s the likelihood that these data protection audit powers will be exercised?
Well, there is already evidence that these audit powers are being used:
- Last year the Swedish authority audited companies they believed should have appointed DPOs to make sure they had
- The Bavarian data protection authority announced it would be conducting compulsory audits of businesses within its’ control – other German authorities are expected to follow suit
- Our very own ICO announced they would be carrying out a compulsory audit against Leave.EU and Eldon Insurance as a result of a recent investigation (and fine) of the organisations for data protection and marketing breaches
The ICO and data compliance audits in the UK
The ICO does indeed have these powers to conduct audits and they do exercise them and indeed have done so for some time. The truth of the matter though is that the ICO generally don’t conduct compulsory audits, preferring to conduct consensual audits – they make this clear in their guide to ICO audits. In this document they set out how they conduct audits, their outputs and expectations of the audit process.
But essentially an audit may come about in a number of ways:
- A compulsory audit is enforced against an organisation using an “assessment notice” – this is what’s happened with the Leave.EU/Eldon case
- An organisation volunteers itself for a free ICO audit
- The ICO carry out a voluntary review of a particular sector – like they did in April 2018 with some charities
- You’re invited to take part in a “consensual” audit – i.e. you are asked to participate in an audit but it’s not enforced
Should we be volunteering for an ICO audit?
This really depends on what you want to achieve. A consensual audit is unlikely to lead to enforcement action, but the ICO does reserve the right to take action if you were found to be significantly in breach of the regulations. However, depending on the findings you will be expected to take action against what they report as areas for improvement, and you will be expected to demonstrate that as part of an audit follow up.
There is a downside though. A summary report of the findings of their audit are likely to be published so your compliance could be in the public domain.
If you’re looking for a comprehensive audit from the regulator themselves which is FREE and you’re happy that you could be found to be non-compliant by the regulator and are happy that the results may be published, then volunteering is probably a good way to make sure you are compliant.
Personally though, we think you’d be better off spending a bit of money using a consultant (like us) or making use of our audit tools to get an independent, less formal, audit report which you can action yourself, than perhaps alert the ICO to your non-compliance.
Of course if you receive an assessment notice then you have no choice.
Can we audit ourselves?
Yes you can. Indeed auditing or reviewing your compliance on a regular basis is encouraged by the accountability principle. Carrying out an audit would demonstrate that you believe you’re still compliant and provide you with a document to demonstrate all the checks and balances across your organisation.
The Digital Compliance Hub provides tools to help you with this, whether reviewing for the first time, preparing your compliance for the first time or considering a refresh. Plus we can via our support service help you every step of the way.
So, should we be worried about being audited?
There is currently a chance the ICO could chose to audit you. If you’re particularly non-compliant and are being investigated then this could always be a possibility. You may randomly, or as part of a wider sector-based project be asked to participate in an audit, but generally speaking it’s probably unlikely you will be audited, but there is no guarantee that you never will.
But if you’re not compliant and have done nothing to meet the data protection regulatory requirements then we think you should be worried – because if you were randomly selected for a consensual audit, you’re going to find yourself being caught out.
Of course, there is no guarantee that the ICO’s current approach (mainly consensual audits) won’t change. Something may happen which requires the ICO to take a much more compulsory stance on audits, particularly if more and more EU member state’s regulators do start spot-checking more or should it become an outcome or requirement of any UK-EU deal on data protection in a post-Brexit world.