Oops! Au-dit Again: The ICO’s new data protection audit framework

The Information Commissioner’s Office (“ICO”) has launched a new data protection audit framework to help organisations to improve their compliance with data protection legislation including the UK GDPR and the Data Protection Act 2018.

The purpose of the new framework is to empower organisations to identify the necessary steps required to improve their data protection practices and promote a culture of compliance.

Who can use this framework?

The framework was created for businesses of various sizes, specifically large businesses and organisations in the public, private or third sectors. It was designed to be used by the person in an organisation with data protection experience, whether that be a senior manager, data protection officer, or the team responsible for data protection in the organisation. The ICO’s guidance confirms the framework should be used by someone who is already familiar with the legal framework.

Although the framework may be useful for insight, it is not directly applicable to small businesses and organisations, or intelligence services.

How do businesses use the framework?

This framework is an extension of the ICO’s Accountability framework. There are “toolkits” available to download from the ICO’s website on:

• accountability;
• records management;
• information & cyber security;
• training and awareness;
• data sharing;
• requests for data;
• personal data breach management;
• AI; and
• age-appropriate design.

Each toolkit provides a data protection audit tracker to help businesses conduct their own compliance assessments and highlight areas that require improvement.

The framework should be used as a starting point for businesses to assess and audit their data management. Whilst the toolkits are very helpful, they are not exhaustive. All businesses using the framework should take account of the data protection obligations that are applicable to them and take steps to ensure they are complying

Although use of the framework will not in itself guarantee compliance, businesses will be able to assess their compliance and, if necessary, improve internal processes, whilst reassuring their customers that their data is being handled with care.

What does this framework mean for my business?

The framework was created to help businesses of all sizes better understand their data protection obligations, improve their practices and ensure they are compliant with data protection law. It does not impose new data protection obligations or provide new guidance. It has been created to assist organisations to meet the data protection requirements that are already in place. Significantly, it covers areas which the ICO will look at when assessing data protection compliance.

If you require any Data Protection advice, contact our Corporate, Commercial & Regulatory team.