Information watchdog launches data protection audit framework to help organisations improve compliance
The Information Commissioner's Office (ICO) has launched a data protection audit framework designed to help organisations, including public bodies, assess their own compliance with key requirements under data protection law.
The framework is intended to be used by professionals responsible for their organisation's data and a working knowledge of data compliance, which could include senior management, data protection officers, compliance auditors or those responsible for records management or cybersecurity.
According to the information watchdog, the framework can be used as a basis for creating a privacy management programme, auditing existing practices against the ICO's expectations, improving existing practices, and recording and reporting on progress.
The ICO said it can also be used to increase senior management engagement and privacy awareness across an organisation.
The framework is an extension of the ICO's existing 'Accountability Framework', and has nine 'toolkits' covering the following key areas:
• Accountability
• Records management
• Information & cyber security
• Training and awareness
• Data sharing
• Requests for data
• Personal data breach management
• Artificial intelligence
• Age-appropriate design
Each toolkit has a downloadable data protection audit tracker that organisations can use to assess their own compliance and track actions that must be taken in areas needing improvement.
Ian Hulme, ICO Director of Regulatory Assurance, said: "Transparency and accountability in data protection are essential, not just for regulatory compliance but for building trust with the public. Research shows us that people increasingly value the responsible use of their personal information, and want organisations to be able to demonstrate strong data protection practices.
"Our new audit framework will help build trust and encourage a positive data protection culture, as well as being flexible in targeting the most pressing areas of compliance. We want to empower organisations to embrace data protection as an asset, not just a legal requirement."
Adam Carey