The ICO has introduced informal advisory visits aimed at small-to-medium sized businesses, charities, not-for-profit organisations and public authorities that would like some help to improve their data protection practices.
While it is open to organisations to apply for a full-blown audit, the ICO makes the point in its published guidance on consensual audits that it takes a risk-based approach to such audits. In practice, this is likely to mean that the ICO will give priority to conducting audits of organisations that it considers to be high risk.
While the ICO guidance on advisory visits states that the ICO will give priority to organisations that will benefit most from a visit, the visits are likely to offer the opportunity for more audits of organisations perceived as being low risk who wish to benefit from the knowledge and experience of the ICO’s good practice team.
According to ICO guidance, an advisory visit would take one day and would look at three main areas as follows: Security; Records Management; and Requests for Personal Data. Within each of these areas, the ICO would look at what policies and procedures are in place in order to check that they are appropriate, verify that they are being followed and provide practical advice.
The one day visit would then be followed up by a report which would summarize the findings and identify areas for improvement. The fact that an advisory visit has been conducted with a particular organisation would be published on the ICO’s website. With the consent of the organisation, the ICO would also publish a short summary of the visit (which would include the background to the visit, the areas reviewed and a summary of the findings identifying good practice and areas for improvement.)
Organisations can register their interest in an advisory visit by sending an email to the following address: firstname.lastname@example.org.
The ICO has produced a guide to advisory visits which can be found here.