Audits that reduce risk

auditThe ICO considers that audits play a key role in assisting organisations to understand and meet their data protection obligations.

A data protection audit is aimed at (1) establishing if an organisation has identified it’s processing of personal data, made the necessary decisions and produced the necessary policies; (2) discovering if those policies are being followed and the data protection principles complied with; and (3) checking contracts, especially protocols, to identify if an organisation is contractually committed to breaching the DPA.

DESK TOP AUDITS

Our desk top audit comprises a consideration of your data-protection related policies, procedures, contracts and any other relevant documentation in use.

We then prepare a written report that comments on how effective these are to comply with data protection law and good practice, any risks we have identified and, if appropriate, makes recommendations for improvements.

ON SITE AUDITS

Our on-site audit comprises a consideration of your data-protection related policies, procedures, contracts and any other relevant documentation in use at your premises, plus we observe how your organisation processes personal information. This includes, amongst other things, how and where paper files are kept, where visitors are permitted to access, how and where any CCTV images are monitored and whether staff carry out their duties in accordance with data protection principles. We also, with your agreement, interview selected key members of staff. This gives then the opportunity to explain how the personal information held by the organisation is processed.

We then prepare a written report that comments on how effectively your organisation complies with data protection law and good practice both in theory and in practice, any risks we have identified, what, if any, training programmes should be undertaken and, if appropriate, makes recommendations for improvements.