Businesses encouraged to welcome data protection audits

Updated August 2011

The Information Commissioners Office (ICO) has called on private sector companies to welcome data protection audits. This is in light of statistics published in the ICO's 2010/2011 annual report which found that, whilst a third of all serious breaches reported to the ICO occurred in the private sector, only 19% of private sector companies contacted by the ICO have accepted the ICO's offer of a free data protection audit.

The ICO offers free data protection audits to businesses and organisations across all sectors. However, the private sector is not alone in its reticence to undergo audits. Of the 100 offers made in 2010/2011 by the ICO to public and private sector organisations to carry out data protection audits, only 30 were accepted.

In an effort to allay fears in relation to the intended purpose of these audits, the ICO has clarified that audits will be used as an opportunity not to name and shame organisations but to share good data security practice and offer practical recommendations. The Information Commissioner has even stated that the private sector should view consensual audits as a "badge of honour".

The ICO has indicated that lenders, general businesses and direct marketing companies are responsible for almost a third of all complaints to the ICO, with businesses topping the bill. It is likely that these areas will be the focus of the ICO's audit efforts over the next 12 months.

In order to ensure that an organisation's data protection policies and procedures are adequate and are being followed in practice it is advisable to carry out regular internal compliance reviews. Having a regular internal audit procedure in place demonstrates to the ICO that an organisation takes data protection compliance seriously in the event of a complaint or investigation and also reduces the likelihood of breaches occurring as problem areas can be identified and rectified quickly.

If you would like information about TLT's compliance review service, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.