The ICO has recently issued an instrument to support organisations in verifying data protection compliance. The online audit toolkits can be used to conduct both consensual and compulsory audits.

The toolkits are designed for organization personnel having familiarity with data protection compliance or data protection professionals (for example: senior management, the data protection officer, internal compliance auditor or personnel with IT security responsibilities) and is specifically addressed to large businesses and organisations in the public, private and third sectors.

Ways to use the framework

According to the ICO, the framework does not represent and instrument to assess the global compliance of the organisations, as this is a continuous exercise involving different aspects, however it can be used as a support tool for keeping an eye on the status of the organization compliance or for other practices, such as:

  • creating a privacy management programme;
  • audit existing practices against the ICO’s expectations;
  • consider whether existing practices can be improved;
  • record, track and report on progress of company compliance, for example for tracking the existence of policies and procedures; or
  • increase senior management engagement and privacy awareness across the organisation.

Various toolkits cover different aspects of data protection compliance

The framework is structured on the ICO website in different toolkits, that are:

  1. checklists and guidelines (including legal reference) of the specific topics, such as: accountability, record of processing activities, training, data sharing and other items related to data protection compliance; and
  2. a complete tracker on an Excel file that collects different tabs related the specific topics. In the tracker, companies can mark the status of compliance on the different toolkits under the scope of the GDPR compliance program.

The checklists also involve items such as artificial intelligence and processing of minor data.

Among the topics addressed by the ICO assessment toolkits, there are also sections dedicated to the data subjects’ rights, procedures in case of data breaches and data retention guidelines.

It is interesting to note that, per each topic under the GDPR compliance scope, the toolkits include two items: “Ways to meet ICO expectations” and “Options to consider”. Those items not only help to address the compliance project considering the requirements of the ICO but offer also a practical checklist of actions to the responsible personnel for the specific obligations they must address.

The framework is a very useful instrument to start-off with data protection compliance management tracking/auditing practices, but also to integrate and keep an overview of the companies’ already existing accountability practices.