Businesses are being urged to open their doors to staff from the Information Commissioner’s Office who will provide onsite advice on data protection issues and give them a detailed report on any changes that are needed.
Louise Webb, head of good practice at the ICO, said the watchdog had begun operating a new advisory service as an alternative to a full-scale data protection audit – in what has been described as the ICO’s “softly, softly” approach.
Earlier this week, it emerged that the UK’s data protection regime was one of the most lenient in Europe, enabling it to focus “on persuasion rather than punishment to achieve greater data privacy compliance”. By comparison the likes of France, Germany and Spain take a far more “aggressive approach to enforcement”.
However, the ICO Christopher Graham (pictured) is also calling on Parliament to give his office extra powers to carry out on-the-spot audits – so-called data raids – on repeat offenders.
Webb said full-scale audits were often too detailed for all but the largest of firms and said the new service would help smaller organisations to improve their understanding.
Under the new service a member of the ICO’s good practice team will visit organisations “to see what they do with data and how they do it”. The service is targeted at small and medium sized organisations that process significant volumes of personal data or sensitive personal data, she said.
Webb said: “During the visits we identify what organisations are doing well and what they need to improve and provide practical recommendations and suggestions to put things right. On the day, we focus on areas such as security, records management and requests for personal data and the visits are also flexible enough to provide an opportunity to ask us questions.”
The service is free, and at the end the team produce a short report which summarises what to do next.
Webb admitted that the ICO has struggled to convince organisations of the benefits of agreeing to let it conduct data protection audits despite committing not to fine businesses for problems they find during the course of an audit, making the process more transparent and better targeting where to investigate.
Related stories
UK data punishments trail Eurozone
Brands face threat of ‘data raids’
