The ICO has expressed a desire to see an increase in the number of data protection audits that are being carried out in UK. In the annual report of the UK Information Commissioner’s Office that was published this month, the desire of the ICO has been outlined. The current mandatory powers with ICO apply only to public sector bodies. In case of private sector businesses, before carrying out an audit it requires agreement and in this case it is known as a consensual audit. The data that has been mentioned in the report show that persuasion is required in case of private sector bodies. The offer of the ICO for a consensual audit was accepted by only 19% of private sector businesses.
The auditing procedure is free and the team of ICO is skilled so why the private is sector so reluctant to use this offer to advantage. A part of the answer lies in the report itself. Before few changes were made recently in the law, the ICO was seen as a soft touch as compared to other data protection regulators in Europe. The ICO has used the newly given powers to make sure that it is regarded as a regulatory force to reckon with. Also, ICO has taken a firm stance against those businesses which have breached the requirement for data security. Six fines totaling £120,000 have been imposed since April 2010. In the attempt to persuade the private sector bodies, it has been clarified in the report that consensual audits are not solely about shaming those who are found guilty of some wrong doing. The report also says that it is a fact that undergoing a consensual audit with the ICO should count as a badge of honour for the company.
It is not entirely unexpected that the privacy watchdog is not being given a warm welcome with open arms in the private sector. The nervousness on the part of the private sector bodies can be attributed to the fear of falling below the level of compliance that is expected by the ICO. Although, ICO doesn’t impose fines on the non-compliances found in the course of an audit. But the major concern of businesses is not the fine but the negative publicity which will follow an audit by the ICO. Since many businesses still do not have adequate data privacy measure which comply with the ICO’s expectations, so nervousness about the same is very obvious.