The ODPA has the power in law to conduct a data protection audit on a controller or processor. These audits may only be carried out in limited circumstances and will usually follow on from a formal investigation carried out by the ODPA. See schedule 7, para 9 of the Law.
Organisations should also ensure that they fully document and understand their processing activities. Conducting some form of an internal audit
can be a good starting point in building a proactive and effective compliance programme.