What Must My Business Do After Receiving a GDPR Letter From the ICO in England? 

The Information Commissioner’s Office (ICO) is an independent body which aims to help UK organisations comply with the General Data Protection Regulation (GDPR). The UK GDPR contains most of the data protection rules applicable to your business, such as those to do with personal data. If your business is under investigation for a potential UK data protection law breach, the ICO may send GDPR-related letters. Notably, your business must respond to a GDPR letter. Not doing so can result in enforcement action such as hefty fines. This article will explain the nature of ICO correspondence, and how your company can correctly respond within the relevant timeframes.

The ICO’s Powers of Investigation 

Where there is an allegation against your business for a breach of the GDPR, the ICO has broad powers of investigation. Your business will first get a GDPR letter from the ICO informing you that they have started or concluded an investigation. 

Common situations in which the ICO investigates UK businesses include allegations of:

• failure to report a serious data breach to the ICO within 72 hours; 
• unfair or unreasonable staff monitoring in the workplace;
• unsafe storage of employee information and personal information; 
• data breaches involving personal data of individuals;
• failure to delete sensitive information when it has served its purpose;
• failure to correctly handle Subject Access Requests (SARs); or
• disclosure of personal or sensitive information outside your business without the consent of the relevant individuals (or any lawful reason). 

The ICO aims to handle any breach of the rules fairly and proportionately. If your business is under investigation, the ICO will consider all mitigating circumstances when using its enforcement powers.

Investigation Process 

At the start of any investigation, the ICO will inform you of their concerns and any alleged breach of data protection rules in writing. They may ask you some initial questions to aid their investigation and request specific information from your business.  

Your company should quickly return with open and honest answers. Additionally, there is no specific timeframe to respond to ICO correspondence. However, you risk placing your business in further trouble by refusing to provide the requested information or intentionally slowing down the ICO’s investigation. Therefore, it is vital to acknowledge ICO orders. This demonstrates your business’ commitment and compliance with its data protection obligations.

UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now

Decision Notice 

At the end of an investigation, the ICO can send your business a ‘decision notice.’ This letter is legally binding and will state whether or not the ICO believes you have complied with the GDPR or not. If the ICO states that your organisation has not followed GDPR rules, it can provide some instructions on remedying the situation.

A decision notice usually requires action and response within 35 calendar days of the date on the notice. If your business does not wish to follow the ICO’s instructions or disagrees with the decision, there are two other options.

1. Appeal the ICO Decision

Your company can appeal an ICO decision by lodging a written appeal to the First-Tier Tribunal (Information Rights) within 28 calendar days of the date on the notice. Most businesses use an expert data lawyer to do so.

If your appeal is successful, you can ignore the initial instructions within the ICO’s decision notice. However, if your appeal proves unsuccessful, those original instructions will stand. Notably, the success rate for appeals against ICO decision notices is not particularly high.

2. Ignore the Decision Notice

Alternatively, your business might decide to ignore the notice, but this can be irresponsible. What typically happens if you ignore a decision notice is that the ICO is alerted to the fact that you have not responded or actioned their instructions. They then consider appropriate enforcement action against your company.

Notably, the ICO can issue a fine of up to £17.5m or up to 4% of your annual turnover. It is not unknown for the ICO to award penalties in the thousands or tens of thousands for intentional breach of GDPR rules. Therefore, it is not advisable that your business ignores the decision notice. Even if you believe your company is not in breach, you should seek the advice of a legal professional to help you appeal the ICO decision. 

Key Takeaways

If your business is alleged to be in breach of its data protection obligations, the Information Commissioner’s Office (ICO) can investigate your organisation. The ICO will issue a letter informing you of their investigation. It is unwise to ignore or delay responding to the ICO as this can lead to further penalties for your business. Following an investigation, the ICO will send a decision notice that may require your business to amend the breach. You have 35 calendar days to respond. If you believe your business was not in breach, you can appeal the decision but it is advisable to speak to a lawyer. 

If you need help with data protection rules and ICO correspondence relating to alleged breaches of data protection rules, LegalVision’s experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions