Louise Webb, head of good practice at the ICO, said that the watchdog had begun operating a new "advisory" service as an alternative to full-scale data protection audits. Webb said those audits were often "too detailed" for all but the largest of firms and said the new service would help those in smaller organisations to improve their understanding of data protection issues.
"We have started a programme of advisory visits to help these organisations to learn how to get data protection right," Webb said in an ICO blog.
Under the new service a member of the ICO's "good practice team" will visit organisations "to see what they do with data and how they do it". The service is particularly targeted at small and medium sized organisations that process "significant volumes" of personal data or sensitive personal data, she said.
Organisations that take part receive a "short report which summarises what to do next" and summaries of these are published on the ICO's website. There are already two reports published from advisory visits conducted last year.
"The aim is to help small businesses, charities and smaller public authorities who may be struggling to understand what they need to do about data protection and need some basic, practical advice. They aren’t as detailed as an audit, but instead focus on general advice and recommendations," Webb said.
"During the visits we identify what organisations are doing well and what they need to improve and provide practical recommendations and suggestions to put things right. On the day, we focus on areas such as security, records management and requests for personal data and the visits are also flexible enough to provide an opportunity to ask us questions," she said.
Under the Data Protection Act the ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended and last month submitted a "business case" to the Ministry of Justice in a bid to secure compulsory powers of audit in the local Government and public health sectors.
Webb said that the ICO has struggled to convince organisations of the "benefits" of agreeing to let it conduct data protection audits despite committing not to fine businesses for problems they find during the course of an audit, making the process more transparent and better targeting where to investigate.
Webb said that by the end of the year the ICO will be able to offer more tailored services to organisations around data protection issues. These will "suit the different types and sizes of organisations we work with – from small business and local charities through to large, multinational companies and household names," she said.
