ICO Investigations

If you find yourself being investigated or prosecuted by the ICO, you will need expert legal advice as soon as possible. Data and privacy breaches and subsequent investigations can be damaging – both to the data subjects who may have had their information mismanaged, and to your company and reputation if it is deemed that you have committed a breach.

If you find yourself subject to an investigation by the ICO, or you become aware of a security breach that may require you to voluntarily refer yourself to the ICO, it’s vital that you speak to an expert to help mitigate the damage.

Draycott Browne have a team of specialist data protection and privacy solicitors with extensive experience who can help.

What is the ICO?

The Independent Commissioners Office (ICO) is an independent, regulatory body put in place to ensure that personal data is collected, handled and stored in accordance with regulations. If the ICO feels that a company or individual has breached these regulations, they have to power to investigate thoroughly and bring action where necessary – potentially leading to prosecution and weighty fines, as well as reputational damage.

What does the ICO investigate?

Almost all businesses, regardless of size find themselves collecting and managing data - but with the introduction of tighter regulations and requirements in 2018, it’s important to make sure that your organisation is gathering and storing information correctly; failure to do so can have severe legal consequences.

If you or your organisation hold or manage personal information about others, you are known as a ‘data controller’, and are required by law to manage and protect that information in line with The Data Protection Act 2018. The Act lays out the rules for data protection, and in 2018 the General Data Protection Regulations (GDPR) came into place, strengthening the rights of ‘data subjects’ to have their data protected, meaning tougher rules for data controllers. The ICO will investigate any breach of these regulations that they are made aware of. You may have been reported to the ICO by a third party who suspects that you have breached regulations, or if you become aware of a breach within your organisation, you can consider voluntarily notifying the ICO yourself.

What responsibilities does a data controller have?

Under the Data Protection Act, you must ensure that any information you collect is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Data subjects need to be aware of what you intend to do with their personal information; you are responsible for letting them know why you need their information, what you’ll do with it, and who it will be shared with.

If you find yourself being investigated by the ICO it is likely that you have breached one of these points or policies, inadvertently or otherwise.

Draycott Browne have a team of specialist data protection and privacy solicitors with extensive experience who can help.

What is a personal data breach?

A personal data breach can occur by accident, through error, or be caused deliberately, leading to the loss, alteration, unauthorised disclosure of, or access to the information belonging to your clients.

Examples of breaches include:

  • deliberate or accidental action (or inaction) by a data controller
  • accidentally sending personal data to the wrong recipient
  • unauthorised access by a third party
  • unauthorised alteration of personal data
  • devices containing personal data being lost or stolen (such as a laptop or memory stick).

If you become aware of a security incident that may impact the confidentiality, integrity or availability of any personal data that you are responsible for, it is crucial that you act quickly to remedy the situation. Breaches can have catastrophic consequences for individuals who may suffer a potential range of losses as a result – so swift containment and damage limitation is key.

It may be necessary, dependant on the severity of the risk to notify the ICO yourself– it’s prudent to take advice so that an experienced solicitor or lawyer can recommend a course of action. If you decide not to report the breach, it’s important that you document the incident as you may need to justify your decision at a later date.

Is there a time limit on reporting a breach?

You must report a breach to the ICO without delay - not later than 72 hours after becoming aware of it. If you fail to report the breach within this time limit you will need to give reasons for the delay, and may be seen to be failing to cooperate, which may have a negative impact on your case. With such a short time period to report a breach it is imperative that you contact us immediately so that we can move quickly on your behalf.

Responding to voluntary disclosure requests

The ICO might make a slightly less formal ‘voluntary information request’ rather than issuing an Enforcement Notice. An organisation can respond to the ICO with a formal Undertaking which will be posted on the ICO’s website. For some organisations or individuals this is preferable; despite being “named and shamed” by the ICO, it shows an acceptance of the ICO’s position and a willingness to cooperate to fix the issue.

It is important to be aware of potential issues when responding to voluntary disclosure requests, in case providing information voluntarily could breach the confidentiality of data subjects. It’s important to strike the balance between helping the ICO and protecting your own position – this is something that Draycott Browne can help with.

What will the ICO do if a breach has occurred?

If the ICO feels that a breach has occurred, it can start an investigation which may ultimately lead to prosecution. It can issue an ‘Information Notice’ which will require the data controller to hand over information relating to how it processes data. This may be followed by formal enforcement action if the ICO finds that a breach has occurred.

The ICO also has the power to do “spot checks” and to search premises to establish what data a business or individual holds or stores. They can interview individuals or company officials under caution as part of their investigation to help them to determine whether a prosecution before the courts is an appropriate course of action.

If you or y our company become aware of a data breach is crucial that you take advice from an expert immediately so that you can formulate a course of action and attempt to mitigate any damage, to the clients whose data you hold, and to your own organisation and reputation.

What can I expect if I’m taken to court?

If you are taken to court, your case will either be heard in the Magistrates Court, or the Crown Court, depending on the severity of the breach. Depending on the outcome, heavy fines can be given; the ICO can fine up to a maximum of up to £17 million, or 4% of annual turnover, so it is crucial that you find an experienced defence lawyer who specialises in this area.

I’m being investigated by the ICO – how can Draycott Browne help?

If the ICO decides to investigate you or your organisation (either by spot check, information request, or warrant), it is important to seek expert advice as soon as possible, and preferably before taking any action or responding to requests. One of our solicitors will help you to identify a strategy; it may be possible to liaise with the ICO to reach a compromise. Depending on the severity of the incident the ICO may be amenable to an informal investigation, rather than more formal enforcement action, but this requires a careful and considered approach.

You also need to ensure that you comply with applicable regulations and best practice going forward – we can advise you on this. We will consider whether the complaint has merit, will gather information and prepare your organisation’s response, and advise you where internal investigations into the allegations are necessary. We will review any relevant privacy impact assessments, risk assessments or data protection compliance audits, and can also help to ensure that you are compliant with any remedial action required by the ICO. We can defend you in court if your case demands it, and following your investigation or prosecution we can advise on necessary staff disciplinary action, staff awareness training, and any required policy change to try to prevent any re-occurrences.


The ICO Investigation Lawyers at Draycott Browne, are widely recognised as one of the North of England's leading team of regulatory law solicitors with specialist data breach and ICO investigation expertise.

Contact us today by calling 0161 228 2244. If you would like us to contact you, simply fill in our online enquiry form and a member of the team will be in touch as soon as possible.

We are highly regarded nationally across the legal profession and noted for consistently delivering positive results. Our team possess a breadth of technical knowledge and experience of ICO Investigations and will provide you with the expertise needed throughout the process.

Our team of Criminal Defence Lawyers regularly act for clients in London and throughout Midlands and of course the North West including clients from Birmingham and Liverpool. By entrusting Draycott Browne, one of the top Criminal Defence Firms in the country, you can be assured that you will be working with a team of highly skilled and experienced ICO Regulation Lawyers who have a thorough and comprehensive knowledge of the law.

Our legal team is available 7 days a week. For expert legal advice or representation, call Draycott Browne today on +44 (0)161 266 7086

When you are facing the stiffest challenge, you cannot afford to settle for anything less than Draycott Browne.

Contact Us