Data protection – is your customer data being managed compliantly?

Written By William Deegan

It has now been over 40 years since Eric Howe became the first Data Protection Registrar in September 1984, based out of Manchester.

The Registrar was required to oversee the new Data Protection Act and to set up a register of data users and computer bureaux, which would later become the register of data controllers.

Introduction 

Fast forward to 2024 and The Information Commissioner's Office (ICO) has last month (October 2024) launched a new audit framework to assist businesses in assessing compliance with data protection laws. This framework features nine toolkits covering areas such as accountability, cybersecurity and personal data breach management, empowering businesses to identify areas for improvement. By using the framework, businesses can further foster a culture of compliance, ultimately building trust with their customer base.

Data protection audit framework

This framework will help assess your own compliance with some of the key requirements under data protection law. It covers a range of areas that you should consider when assessing your businesses data protection compliance, these audit toolkits can be used to conduct both consensual and compulsory audits. 

If you follow the approach suggested in the framework, it does not guarantee that your processing meets all the legal requirements that apply to you. You need to consider the specific circumstances of your business and what you are doing with personal information in order to manage the risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures you should put in place.

Who can use the framework?

The framework is designed to assist if you already have some familiarity with the legal framework and are responsible for making sure your business complies with data protection law. You could be senior management, the data protection officer, an internal compliance auditor or have records management or information security responsibilities. 

The framework is suitable for larger businesses and organisations in the public, private and third sectors. It is not directly applicable to:

·         small businesses and organisations, who can use the resources on the ICO web hub, such as the self-assessment toolkit

How do you use the framework? 

The framework provides a useful starting point for you to assess and audit your privacy management. The ICO have noted it is not exhaustive and you need to comply with all aspects of data protection law that apply to you. Compliance is not about ticking boxes, and you are asked to exercise your own judgement and use other relevant guidance and materials.

The ICO have offered various examples on how to use the framework:

· use it as a basis for creating a privacy management programme;

·       audit your existing practices against the ICO’s expectations;

·       consider whether you could improve existing practices, perhaps in specific areas;

·       record, track and report on progress; or

·       increase senior management engagement and privacy awareness across your organisation.

The framework has nine distinct toolkits that the ICO are likely to look at during an audit. 

Each toolkit consists of:

·       A range of ICO audit “control measures”. These are examples of measures that you should have in place to manage identified risks and ensure you are effectively complying with data protection law. They are keen to emphasise, there isn’t a ‘one size fits all’ approach.

·       A list of ways in which you can meet ICO expectations in relation to each of the “control measures”. The toolkit lists the most likely ways to meet ICO expectations, but they are not exhaustive. 

·       Additional options to consider based on examples of good practice the ICO have seen during audits they have conducted.

The ICO have suggested you start with the Accountability toolkit (formerly the Accountability framework) to assess your business’s accountability measures. This toolkit supports the foundations of an effective privacy management programme. The other eight toolkits take a more in depth look into specific areas of data protection law and will allow you to audit your compliance in more detail.

The thread…

For many of our readers this new toolkit will not be applicable due to the size of your organisation, but what it demonstrates is that the ICO still have a keen eye on ensuring that data protection is high on the agenda of all businesses. In recent times we have found that almost all businesses are registered with the ICO but the day-to-day management of data protection is not as focused or in line with current ICO requirements as it should be.

If you are reading this and wondering, how can I ensure data protection is reflected in the day-to-day running of my business? Or when was the last time I checked we are still compliant with data protection regulation? Ask us about managing DP on your behalf, and we will work with you to provide a solution that gives you the confidence and conviction that data protection and building customer trust is making a positive impact within your business and on your customer relations.

And Finally

Do you know a good GDPR expert?

I do.

Can I have their email?

No.

William Deegan
Previous

Consumer Duty – it is not going away any time soon!
Next

What More Can Fred Teach Us?