How can organisations ensure they will pass a data protection audit?


The Information Commissioner’s recent statement that “compulsory data protection audits of councils and the NHS are needed to help eliminate really stupid basic errors" has caused mixed reactions. As reported by the BBC, the Department for Communities and Local Government was "surprisingly opposed" to the proposal, whilst the Department of Health was supportive of the principle of audits in parts of the health service.
Regardless of how matters will develop in the future, experts warn that something needs to be done in order to ensure breaches of the Data Protection Act (DPA) are reduced to a minimum. It’s not only taxpayer’s money that is at stake, but people lives are also affected.
In the UK, all organisations must comply with the DPA or they face stiff penalties. Other countries have local equivalents of the DPA, more information on which can be found at
Alan Calder, CEO of data protection compliance experts IT Governance, says, “The first thing organisations need to do in order to establish their level of compliance with data protection regulations is to conduct a data protection health-check. This can be done internally — if they have qualified people or, by an external data protection consultant.

"The aim of the data protection health-check is to establish the gaps in compliance and produce a report and subsequent plan as to how these gaps are to be addressed. In most cases, organisations find that they lack specific policies and procedures they have to have in place in order to pass an audit. Lack of formal on-going staff awareness training, which is monitored and recorded by management, is often another hurdle for meeting data protection compliance requirements.”
There are ways for organisations to address the above issues:

  • Schedule an appointment with a data protection consultant to conduct a data protection gap analysis.

  • Appoint an experienced data protection compliance officer or train existing team members — this one-day Data Protection Act Foundation course is the ideal starting point.

  • Create policies or procedures that need to be in place in order to implement data protection best practice — the Complete Data Protection toolkit, which contains all necessary documentation templates, is one cost-effective and time-efficient option to do this.

  • Train all staff who have access to personal data in the principles of the Data Protection Act and how to adhere to them — this is best achieved by deploying a DPA Staff Awareness E-learning course which can be adapted to the organisation’s needs.

  • Finally, don’t forget that you regularly need to review your policies and procedures and, refresh staff’s knowledge in order to maintain compliance.
This website uses cookies. View our cookie policy