What would you do if the Information Commissioner’s Office (ICO) contacted you?
Would you welcome them? Panic? Or wonder who they are?
The ICO – the public body that enforces GDPR and cookie compliance – recently got in touch with names.co.uk to let them know it would be conducting an online audit to assess use of non-essential advertising cookies.
For many businesses, that scenario could end in fines or headlines for all the wrong reasons. But names.co.uk passed with flying colors.
In a moment, you’ll not only see how using iubenda helped them manage it, but how you can also make sure your business is audit-ready if the ICO ever contacts you.
The Information Commissioner’s Office is the UK’s regulator for data protection, privacy, and information rights. It enforces the UK GDPR, the Data Protection Act, and the Privacy and Electronic Communications Regulations, ensuring that organizations handle data responsibly.
If your website uses cookies, or if you process customer data in almost any capacity, the ICO is the body that makes sure you’re compliant with data privacy laws and regulations.
The ICO had identified names.co.uk as one of the top 1000 websites in the UK. This is a great achievement, but with that accolade comes a responsibility to lead by example. The ICO wanted to be sure that cookies were being used correctly – not just meeting the minimum level of requirement but also going above and beyond.
An ICO cookie audit involves them undertaking an online assessment of how non-essential advertising cookies are being used on the website.
They will first make sure the website has a cookie banner. Luckily the names.co.uk website uses iubenda so the cookie banner is prominent and highly visible.
The ICO then checks the cookie banner to see if:
Once the online audit has completed, the ICO shares its findings through a results letter that indicates whether it was a pass or fail and if any further action is required.
In short, the process is thorough but designed to be constructive, helping organizations strengthen compliance before problems escalate.
The key was having a consent management solution that made compliance simple. By using iubenda’s Consent Management Platform (CMP), they were able to categorize cookies accurately, present users with clear “Accept” and “Reject” options, and ensure that no non-essential cookies were set without valid consent.
But although that was the scope of this particular audit, the next ICO one might be more thorough. It’s important to be prepared and foster the right culture. By using the iubenda CMP, names.co.uk could demonstrate to auditors that their systems respected user choice and that consent records were properly logged. It also indicates that their staff understand the principles behind compliance.
For other organizations, the lesson is clear: compliance requires proactive measures. Building audit-readiness into your day-to-day operations through a CMP like iubenda makes an ICO audit far less intimidating – and can make it more likely that you come out on top.
Not every organization passes as smoothly as names.co.uk. Although this particular audit was just checking cookie use on the website, there are much more detailed audits that the ICO can choose to run.
The risks of falling short can be stark. Depending on the nature of the audit organizations can face fines of up to £17.5 million, or 4% of global annual turnover, whichever is higher.
Recent cases show the ICO is willing to use its powers: In 2023, TikTok was fined £12.7 million for mishandling children’s data, and in 2024:
The ICO doesn’t require a formal complaint to run an audit. As in the case here, it can routinely spot-check corporate websites, particularly high-profiles ones like names.co.uk. This means any business or website could be subjected to an audit.
If the ICO came knocking tomorrow, would you be ready?
names.co.uk’s success shows that with the right approach and the right tools, you can face an audit with confidence.
The ICO doesn’t expect perfection, but it does expect organizations to take compliance seriously, to respect people’s choices, and to back that up with evidence.
Our CMP is designed to do exactly that. It helps you manage cookie consent in accordance with UK and EU regulations, log choices for audit purposes, and minimize your business’s risks of non-compliance.
While the ICO is setting high standards for respecting privacy laws and regulations, meeting those standards doesn’t have to be stressful.
With iubenda, it’s easier to get closer to compliance, so you’re ready if an audit comes your way.