Data privacy: When will watchdog ICO get its teeth into private sector audits?

Legal Eye: Momentum is building behind greater data protection compliance...

...a fear that they may be found to be falling below the level of compliance expected by the ICO and a concern over the consequences of being found wanting.

The ICO's guidance on consensual audits does confirm that the ICO will not impose fines as a result of non-compliance discovered in the course of an audit. However, businesses' concerns are not only about fines but also about negative publicity following the publication of an ICO audit.

The ICO will publish the fact that an audit has taken place but will only issue details of the audit if the business agrees. If the business does not agree, then the ICO will publish a statement saying the business has requested the summary of the findings not to be published. Exercising this "right to remain silent" may take the shine off the badge of honour.

It's also clear from the audit guide that the ICO will expect the business to sign up to a programme of rectification within a "reasonable" time frame, and enforcement action may result if this is not agreed to.

Because many businesses still do not have adequate data privacy compliance measures in place, there will be a nervousness about what is expected by the ICO.

First step in auditing process

The ICO's audit guide sets the "starting point" for the audit as the business supplying the ICO with "data protection policy documents, operational guidance, or manuals for staff processing personal data, information asset registers, information governance structures and similar". Even this step may be beyond some businesses.

It remains to be seen whether the Information Commissioner can convince private sector business that he will be using the carrot, and not the stick, when carrying out the audits. What is clear is that the pressure on the private sector business to be transparent in its approach to data protection compliance is unlikely to disappear.

For the moment, there may be safety in numbers from being part of the 81 per cent refusing an audit. But this position is likely to change as more businesses address compliance. This trend will be compounded by commercial pressure from customers and clients as they start to demand more transparency from those businesses processing their personal information.

Even if they don't accept the ICO's offer to look under the hood, businesses would be well advised to take note of this development and to take steps to gain some level of confidence by conducting their own internal audit to assess their level of compliance.

Cameron Craig is partner and head of the EU Information Law Team at law firm DLA Piper.