What is an audit?  

An audit provides an assessment of whether your organisation is following good data protection practice. We believe that audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether you have effective policies and procedures in place and whether you are following them.

What areas does an audit normally cover?

An audit can include all or some of the principles of the Data Protection Act (DPA). Examples of areas which may be covered in an audit include:

  • data protection governance, and the structures, policies and procedures to ensure DPA compliance;
  • the processes for managing both electronic and manual records containing personal data;
  • the processes for responding to any request for personal data, including requests by individuals for copies of their data (subject access requests) as well as those made by third parties, and sharing agreements;
  • the technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
  • the provision and monitoring of staff data protection training and the awareness of data protection. 

What are the benefits of an audit?

You benefit from the data protection knowledge and experience of our audit team. It is an opportunity for your staff to discuss relevant data protection issues with the ICARIS audit team.

How long does an audit take?

Our aim is to complete an audit, from first meeting to issue of the final report, within 30 working days, normally including one to three days’ at your organisation.

What happens to the reports?

Following completion of the audit, we provide a comprehensive report along with an executive summary. The audit report allows you to respond to observations and recommendations made by the audit team.

What if your organisation isn’t complaint?

Icaris will work through the DPA audit with your organisation. Our expertise will help provide solutions and an on-going service to keep you compliant.


DPA penalties and the ICO
The Data Protection Act 1998 (DPA) is enforced by the Information Commissioner's Office (ICO), which has several options when it finds an organisation to be in breach of the act:

  • Monetary penalty notices: Fines of up to £500,000 for serious breaches of the DPA.
  • Prosecutions: Including possible prison sentences for deliberately breaching the DPA.
  • Undertakings: Organisations have to commit to a particular course of action to improve their compliance to avoid further action from the ICO.
  • Enforcement notices: Organisations in breach of legislation are required to take specific steps in order to comply with the law.
  • Audit: The ICO has the authority to audit government departments without consent.

Monetary penalty notices
The ICO continues to clamp down on non-compliant organisations, as demonstrated by the number and value of fines issued for DPA-related offences over the last few years:

  • 2010: 2 fines totalling £160,000
  • 2011: 7 fines totalling £541,100
  • 2012: 17 fines totalling £2,143,000
  • 2013: 14 fines totalling £1,520,000
  • 2014: 9 fines totalling £668,500
  • 2015: 18 fines totalling £2,031,250
  • 2016 to 1 April: 8 fines totalling £911,000