At NCDV, safeguarding the integrity of our clients’ and employees’ data under the GDPR framework is a paramount commitment. In our continuous effort to refine our processes and uphold the highest standards, we welcomed the Information Commissioner’s Office (ICO) for an onsite audit on the 15th and 16th of May 2023.
The ICO, an independent regulator, views auditing as a collaborative process aimed at ensuring robust compliance with personal data protection standards. Their expertise and regulatory approach provided us with a well-defined audit plan.
The audit process, though rigorous, proved to be instrumental. It identified areas for improvement and, where necessary, made recommendations to fortify our adherence to the UK GDPR and DPA18 regulations.
A total of 45 recommendations were outlined in the ICO’s original audit report, each prioritised based on the perceived risks they aimed to mitigate.
Over the subsequent months, we worked diligently to address every point raised, underscoring our commitment to data security and compliance. In February 2024, we invited the ICO for a follow-up audit.
The feedback from this audit reflected substantial advancements:
- NCDV have implemented an effective Information Governance (IG) strategy with clear reporting lines, requirements and responsibilities.
- NCDV have improved their records management procedures.
- NCDV have reviewed and updated their DP training programme.
- NCDV have an effective risk management strategy in place to manage information risks.
- NCDV have identified their information assets which are now recorded in their hybrid IAR/ROPA document.
- NCDV have created a DPIA process which includes guidance for staff, a DPIA screening checklist and a DPIA template
The ICO concluded that NCDV has successfully implemented a comprehensive IG strategy, encompassing updated policies, procedures, DP training, and monthly risk meetings. The proactive engagement with the ICO and external consultants to elevate our DP compliance was also duly recognised.
NCDV would strongly recommend any organisation handling sensitive client information to embrace GDPR and carry out an independent external audit to provide them with an action plan to ensure compliance with the regulations.
Although we have done some great work there is still more to do. Our future plans are to continue in developing our GDPR strategy and make any necessary updates and changes. My thanks go to all those who have been involved with this project.