Of all the privacy risks an organisation faces today, there are 3 ways in which a regulatory audit will occur for organisations that don’t deal with special categories of data.

  1. People will complain to a regulator 
  2. A Data Breach will attract a regulator
  3. Whistle Blowing will out you to a regulator

Tip #1 Be Aware of your own Open Public Privacy Profile

Most organisations are not even aware that they have a public privacy profile and are under an assumption that a privacy policy is all that is public.   An organisations public privacy profile is what a regulator looks at first when a company comes to their attention. 

Note: In the future, there will be certifications and trust-marks that will help to automate public privacy for organisations.  The European Union is currently building this infrastructure, so until there are standards, or you find some technology that enables your organisation to let people control their own data, it’s up to your organisation to be on its best behaviour.

Tip #2: Register with the ICO

Be publicly open and register with an authoritative 3rd party like the UK ICO data controller registry while you can, not only is it inexpensive, but this provides an independent point of privacy transparency to increase a brand’s trust.  The ICO data controller registry provides a means for organisations to show off some privacy prowess and be used as apart of a way to show low compliance risk with EU regulations via an independent public privacy profile.

Tip  #3 Privacy Response

1. Make sure you have basic privacy controller identity, address and linkable contact information in your privacy policy.

2. Respond in the allotted time by UK regulation, regardless of where your organisation resides in the world, and if you do, a regulator won’t easily have the opportunity to audit you.