Data Protection Investigations
If you are the subject of an ICO investigation or prosecution, our specialist team of solicitors can provide you with support, advice and representation to ensure your business is protected at all times.
Our data protection solicitors are here to advise and guide you should the ICO contact you with a concern regarding your management or handling of personal information.
We appreciate that contact from the ICO can be daunting but you can depend on us to provide you with practical steps on how to deal with the ICO request as well as to formulate a strategy for the long-term resolution of the matter.
Got a question?
Our data protection solicitors have a proven track record in representing individuals and corporate entities who find themselves being investigated or prosecuted by the ICO.
Often, the investigation of a breach of Data Protection legislation will also encompass other potential criminal offences under Fraud and Computer Misuse legislation. We are nationally recognised as experts in criminal, fraud and regulatory law.
We provide clients with a 24/7 service via our 24 Hour Rapid Response Team available at all times on 07989 521210.
This is important as under the GDPR any breach of personal data must be reported to the ICO within 72 hours. Our team is able to advise you swiftly on the reporting requirement and put in place the measures to assist you deal with any future ICO investigation.
Our team has experience of assisting businesses and individuals in a variety of ways including the defence and representation of the following allegations:
- Breach of Data Protection Laws by loss of personal data
- Knowingly or recklessly obtaining, disclosing, procuring the disclosure of personal information without the consent of the data controller – (s55(1) and s55(3) Data Protection Act 1998)
- Obtaining personal information illegally, selling or offering to sell that personal information (s55(4) and 55(5) Data Protection Act 1998)
- Failure to notify the ICO that you hold personal data or that changes have been made to the processing of personal data since the initial registration with the ICO (s17 Data Protection Act 1998)
- Knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller, unless a statutory defence applies such as the prevention or detection of a crime (s.170 Data Protection Act 2018)
- Making or recklessly making a statement in response to an Information Notice from the ICO which is known to be false in a material respect (s144 Data Protection Act 2018)
- Re-identification of de-identified personal data where a person knowingly or recklessly processes personal data that is information that has been re-identified (s171 Data Protection Act 2018)
- Altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure of personal data to the data subject (s173 Data Protection Act 2018)
The main legislation in this area is the Data Protection Act 2018 which replaced the Data Protection Act 1998 and the EU’s General Data Protection Regulations (‘GDPR’) which came into force in May 2018.
Data protection is the fair and proper use of information about people. It is part of the fundamental right to privacy.
It is about organisations treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others and striking a balance with the wider interests of society.
It is also about individuals having the right to determine when and how their personal information is used.
Yes, if you hold and process information about people for any business or other non-household purpose. The law applies to any ‘processing of personal data’.
Personal data is defined as ‘any information relating to an identified or identifiable living individual’. This would include:
- Company partners
- Business contacts
- Public officials
- Members of the public
Processing information means an ‘operation or set of operations that are performed on information’ such as:
- Collection, recording, organisation, structuring or storage
- Adaptation or alteration
- Retrieval, consultation or use
- Disclosure by transmission, dissemination or otherwise making available
- Alignment or combination
- Restriction, erasure or destruction
The controller is the person who decides how and why to collect and use the data. This will usually be an organisation but can be an individual if you are a sole trader.
If you are an employee acting on behalf of your employer, the employer will be the controller. It is the controller who must ensure that the processing of data complies with the law.
The processor is a separate person or organisation (not an employee) who processes the data on behalf of the controller and in accordance with their instructions.
Processors have some direct legal obligations but these are more limited than the controller’s obligations.
The ICO is an independent and supervisory authority for data protection in the UK. It oversees Data Controllers and protects Data Subjects.
The ICO’s primary role is to uphold information rights in the public interest and to oversee the following pieces of legislation:
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2004 (as amended)
- Environmental Information Regulations 2004 (as amended)
- eIDAS Regulation (EU) No 910/2014
- NIS Regulations 2018
- Freedom of Information Act 2000
- General Data Protection Regulations 2018
- INSPIRE Regulations 2009
- Re-use of Public Sector Information Regulations 2015
- Investigatory Powers Act 2016
The ICO regulates compliance and good practice when in relation to the handling and processing of personal data.
The ICO performs a number of important functions in that it:
- Offers advice on guidance
- Promotes good practice
- Monitors breach reports
- Conducts audits and advisory visits
- Considers complaints
- Monitors compliance
- Takes enforcement action
Although the ICO does not have any statutory powers to award damages to victims whose data has been compromised, it does have the power to issue fines to organisations who breach their data protection obligations.
The ICO has the power to:
- Investigate and prosecute any breaches of data protection law
- Take a range of regulatory actions, in addition to prosecution, in relation to both the individuals and organisations responsible for the breach
- Issue Information Notices and Assessment Notices to individuals/organisations
- Apply for Search warrants in relation to premises where suspected data breach offences have occurred
- Issue Enforcement Proceedings
- Conduct Audits
- Issue Financial Penalty Notices
- Conduct Interviews Under Caution
- Commence Criminal Proceedings
- Issue fines for breaches of data protection laws up to a maximum of 20 million Euros or 4% of annual worldwide turnover, whichever is the greater
- Issue fines for failing to disclose a breach of data protection law up to a maximum of 10 million Euros or 2% of annual worldwide turnover, whichever is the greater
Not only does the legislative framework seek to keep organisations in line with legislation, it empowers individuals who wish to challenge the way in which their personal data is stored and processed.
Individuals are now been afforded the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Breach of data protection legislation can lead to criminal and civil sanctions as well as the often significant adverse publicity associated with an ICO investigation.
The enforcement powers of the ICO are quite separate and distinct from the powers of the court.
The GDPR has significantly extended the power of the ICO to impose sanctions. The most notable change is the level of fine that can now be imposed having been increased from £500,000 (previously under the DPA 1998) to a level of fine which can extend up to 20 million Euros or 4% of turnover, whichever is the higher, for corporate entities.
With the level of fines now being issued by the ICO being reported in multi-million pounds for the headline cases, it is important for any organisation to seek early and effective legal advice to minimise exposure to such financial punishment.