The Data Protection Audit Framework

The Information Commissioner’s Office (ICO) have recently launched a new audit framework designed to help businesses assess their own compliance with key requirements under data protection legislation.

The framework has been launched to encourage businesses to identify and implement any necessary steps to improve their data protection practices. The framework provides a basic level evaluation of a business’s current compliance, empowering organisations to consider how they handle and protect personal information they collect.

The benefits of being compliant with data protection laws and regulations are evidenced in the following words from Ian Hulme, Director at the ICO:

“Transparency and accountability in data protection are essential, not just for regulatory compliance but for building trust with the public. Research shows us that people increasingly value the responsible use of their personal information, and want organisations to be able to demonstrate strong data protection practices.”

As beneficial as the new framework is poised to be, it is vital to be aware that following the approach suggested in the framework does not guarantee that your processing meets all the legal requirements that apply to your business. You need to consider the specific circumstances of your business and what you are doing with personal information in order to manage the risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures you should put in place.

How to comply with Data Protection Legislation

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is: used fairly, lawfully and transparently in order to protect customers from predatory data collection practices.

If your business collects any type of personal data, including names, email addresses, birthdays and phone numbers, then a privacy policy (also called privacy notice or privacy statement) is required to ensure GDPR compliance.

Whether your business is new or well-established, there are certain key aspects of your privacy policy to regularly consider updating to guarantee GDPR compliance and negate any unwanted liability. For example:

1. When you collect data, on your website for example, are you clear and transparent that you are doing so, explaining the type of data you are collecting, why you are collecting the data, and for what purposes you are collecting the data?
2. Do you demonstrate how the data you’re collecting is necessary for your purposes? For example, is the data being used to improve customer experience or market your products?
3. Have you checked and amended any data entry forms (such as surveys) that you currently use?
4. Do you need to add extra security measures (such as a stronger firewall) to ensure your data is as secure as possible?
5. Do you have an opt-out policy? Businesses are required to given customers the ability to delete data that they have collected as well as opt-out of the sale of their personal information.

Having a comprehensive and expertly drafted privacy policy is vital in maintaining the trust of customers whilst preventing any unnecessary risks or liabilities. At Berry Smith, we are experts in advising on data protection, including reviewing and drafting privacy notices. If you would like further information regarding the new audit framework, then please click here. Alternatively, if you wish to read more about what your privacy policy should look like, then please click here.

Please contact us if you would like more information about the issue raised in this article or any other aspect of Commercial law at 029 2034 5511 or commercial@berrysmith.com