How-to guide: How to deal with an ICO dawn raid (UK)

Introduction

This guide will assist in-house counsel, private practice lawyers and risk and compliance teams with the steps their organisation should take when faced with a dawn raid by the UK Information Commissioner’s Office (ICO).

This guide covers the following:

Overview – legal framework
What is a dawn raid and what powers does the ICO have?
What process must the ICO follow?
What rights do organisations have?
What should you do when faced with a dawn raid?
What can happen following the raid?
An example of the ICO using its dawn raid power

Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How to Guide: Understanding key data protection definitions.

This How-to guide can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.

Section 1 – Overview – legal framework

The guide covers the requirements under:

Regulation 2016/679 – General Data Protection Regulation (EU GDPR) (in relation to certain aspects such as penalties in very general terms);
the EU GDPR as it forms part of the domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (UK GDPR); and
the Data Protection Act 2018 (UK DPA 2018)

Section 2 – What is a dawn raid and what powers does the ICO have?

The ICO’s enforcement powers include the ability to carry out an inspection without notice –a dawn raid. Subject to it obtaining a warrant, the ICO can:

enter and search the premises of any controller or processor;
inspect and seize documents and order staff to make copies that can be taken away;
observe processing;
inspect, examine, operate and test any equipment found on the premises used or intended to be used for the processing of personal data; and
interview individuals, including requiring them to give explanations of information.

These powers of entry and inspection are set out in section 154 and schedule 15, UK DPA 2018.

Dawn raids are carried out where there is a risk that evidence will be destroyed or altered if advance warning of an inspection is given. Often other preliminary enforcement action, such as an information or assessment notice, has not been fully complied with by the organisation.

An information notice can be issued under section 142, UK DPA 2018 and requires:

a controller or a processor to provide information that the Commissioner reasonably requires to carry out their functions under data protection laws, or
any person to provide information reasonably required for the purpose of investigating a range of offences and other compliance failures.

An assessment notice can be issued under section 146, UK DPA 2018, and gives the ICO extensive powers, such as to require a controller or processor to allow the ICO onto premises, to be shown documents, information and equipment, inspect them, be given copies and explanations, interview staff and observe processing operations. Certain procedural requirements must be followed in relation to assessment notices, and there are restrictions on their effect (such as where legal professional privilege applies) (see section 147, UK DPA 2018).

The ICO now publishes all reprimands on its website (see also ICO’s ‘Action We’ve Taken’ page). The publication of reprimands provides useful guidance as to the standards expected by the ICO and also the focus of enforcement action.

Section 3 – What process must the ICO follow?

The ICO must apply to a judge of the High Court, circuit judge or district judge (magistrates’ court) for a warrant to enter and inspect the controller’s or processor’s premises without notice (paragraphs 1 and 2, schedule 15, UK DPA 2018). For this to be granted, the ICO must show that:

there are reasonable grounds for suspecting that the controller or processor has failed to comply with certain provisions of the UK GDPR (ie, data processing principles, data subject rights, controller and processor obligations, personal data breach notifications, and international data transfers) (section 149(2), DPA 2018); or an offence under the UK DPA 2018 is being committed; and
evidence of such an infringement or offence will be found on the premises or on equipment at the premises; or alternatively
the controller or processor has failed to comply with an assessment notice previously served on it (ie, for an inspection with notice).

The judge must be satisfied that the ICO is justified in requiring urgent access to the premises and that giving the controller or processor advance notice would defeat the object of the inspection (paragraph 4, schedule 15, UK DPA 2018).

Section 4 – What rights do organisations have?

The ICO’s powers to request information are broad, but an organisation may claim exemption for:

Parliamentary privilege – the powers of inspection and seizure conferred by a relevant warrant are not exercisable where this would involve an infringement of the privileges of either House of Parliament (paragraph 12, Schedule 15, UK DPA 2018); or
privileged communications – there is no general exemption for legally privileged or confidential material, but there are restrictions relating to information in respect of communications:
- between a professional legal adviser and their client in connection with legal advice about obligations, liabilities and rights under data protection legislation; or
- in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and for the purposes of such proceedings.

However, the privileged communications exemption does not typically apply to:

anything in the possession of a person other than the professional legal adviser or their client; or
anything held with the intention of furthering a criminal purpose.

Section 5 – What should you do when faced with a dawn raid?

When faced with a dawn raid, you should:

be prepared – have a plan or policy for dealing with dawn raids;
seek legal counsel immediately;
check the scope of the warrant and ensure the inspection is limited to that;
ensure that any information exempt from disclosure is excluded from the inspection (see Section 4 above); and
ensure staff are properly briefed on how to respond to questions from the ICO’s investigators and that any interviews are conducted with legal counsel present – be aware that not answering the ICO’s questions or giving false answers may be an offence (see Section 6 below).

Section 6 – What can happen following the raid?

While the investigation is ongoing, the ICO can request further information to clarify matters or documents seized during the raid – this may be done by issuing further information notices.

Once the investigation has been concluded, if the controller or processor is found to have infringed data protection laws, the ICO can use its other enforcement powers to impose a penalty notice for an administrative fine – there are two tiers of fines, depending on the nature of the infringement:

the higher of £8.7 million, or 2% of global annual turnover in the preceding financial year (article 83(5), UK GDPR); and
the higher of £17.5 million, or 4% of worldwide global turnover in the preceding financial year (article 83(5) and (6), UK GDPR).

In addition, or as an alternative, the ICO may issue an enforcement notice requiring the controller or processor to suspend or cease a particular processing operation, or to take or refrain from taking certain other actions.

There are also various offences related to not cooperating with the ICO, such as:

making false statements in response to information notices (section 144, UK DPA 2018); and
destroying or falsifying information and documents in response to an information notice or an assessment notice (section 148, UK DPA 2018).

These offences attract criminal liability and can apply to the corporate and to individual directors (section 198, UK DPA 2018). The courts cannot order custodial sentences, but they can order unlimited fines.

Section 7 – An example of the ICO using its dawn raid power

These powers are not used frequently but a well-known example was when the ICO obtained a warrant to search the Cambridge Analytica offices in May 2018 for infringements related to targeted political advertising. Following a lengthy investigation, the ICO was unable to take enforcement action against the company because it had ceased trading. However, the regulator said that it would have done so if Cambridge Analytica was still operating, and it has taken action against other parties involved in its broader investigations into the use of personal data in political campaigning.

How-to guide: How to deal with an ICO dawn raid (UK)

Introduction

Section 1 – Overview – legal framework

Section 2 – What is a dawn raid and what powers does the ICO have?

Section 3 – What process must the ICO follow?

Section 4 – What rights do organisations have?

Section 5 – What should you do when faced with a dawn raid?

Section 6 – What can happen following the raid?

Section 7 – An example of the ICO using its dawn raid power

Additional resources

Related Lexology Pro content

How-to guides:

Checklists:

Filed under

Topics

Organisations

Data protection

Personal data

United Kingdom

IT & Data Protection