Skip to content

What Must My Business Do After Receiving a GDPR Letter From the ICO in England? 

Table of Contents

The Information Commissioner’s Office (ICO) is an independent body which aims to help UK organisations comply with the General Data Protection Regulation (GDPR). The UK GDPR contains most of the data protection rules applicable to your business, such as those to do with personal data. If your business is under investigation for a potential UK data protection law breach, the ICO may send GDPR-related letters. Notably, your business must respond to a GDPR letter. Not doing so can result in enforcement action such as hefty fines. This article will explain the nature of ICO correspondence, and how your company can correctly respond within the relevant timeframes.

The ICO’s Powers of Investigation 

Where there is an allegation against your business for a breach of the GDPR, the ICO has broad powers of investigation. Your business will first get a GDPR letter from the ICO informing you that they have started or concluded an investigation. 

Common situations in which the ICO investigates UK businesses include allegations of:

  • failure to report a serious data breach to the ICO within 72 hours; 
  • unfair or unreasonable staff monitoring in the workplace;
  • unsafe storage of employee information and personal information; 
  • data breaches involving personal data of individuals;
  • failure to delete sensitive information when it has served its purpose;
  • failure to correctly handle Subject Access Requests (SARs); or
  • disclosure of personal or sensitive information outside your business without the consent of the relevant individuals (or any lawful reason). 

The ICO aims to handle any breach of the rules fairly and proportionately. If your business is under investigation, the ICO will consider all mitigating circumstances when using its enforcement powers.

Investigation Process 

At the start of any investigation, the ICO will inform you of their concerns and any alleged breach of data protection rules in writing. They may ask you some initial questions to aid their investigation and request specific information from your business.  

Your company should quickly return with open and honest answers. Additionally, there is no specific timeframe to respond to ICO correspondence. However, you risk placing your business in further trouble by refusing to provide the requested information or intentionally slowing down the ICO’s investigation. Therefore, it is vital to acknowledge ICO orders. This demonstrates your business’ commitment and compliance with its data protection obligations.

Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Decision Notice 

At the end of an investigation, the ICO can send your business a ‘decision notice.’ This letter is legally binding and will state whether or not the ICO believes you have complied with the GDPR or not. If the ICO states that your organisation has not followed GDPR rules, it can provide some instructions on remedying the situation.

For example, if they find that your business has failed to provide information under a Subject Access Request (SAR) within the one-month time limit, the letter is likely to state that you must now do so without delay.  Alternatively, some notices conclude your company needs to provide additional information to comply with the SAR fully.

A decision notice usually requires action and response within 35 calendar days of the date on the notice. If your business does not wish to follow the ICO’s instructions or disagrees with the decision, there are two other options.

1. Appeal the ICO Decision

Your company can appeal an ICO decision by lodging a written appeal to the First-Tier Tribunal (Information Rights) within 28 calendar days of the date on the notice. Most businesses use an expert data lawyer to do so.

If your appeal is successful, you can ignore the initial instructions within the ICO’s decision notice. However, if your appeal proves unsuccessful, those original instructions will stand. Notably, the success rate for appeals against ICO decision notices is not particularly high.

2. Ignore the Decision Notice

Alternatively, your business might decide to ignore the notice, but this can be irresponsible. What typically happens if you ignore a decision notice is that the ICO is alerted to the fact that you have not responded or actioned their instructions. They then consider appropriate enforcement action against your company.

Notably, the ICO can issue a fine of up to £17.5m or up to 4% of your annual turnover. It is not unknown for the ICO to award penalties in the thousands or tens of thousands for intentional breach of GDPR rules. Therefore, it is not advisable that your business ignores the decision notice. Even if you believe your company is not in breach, you should seek the advice of a legal professional to help you appeal the ICO decision. 

Key Takeaways

If your business is alleged to be in breach of its data protection obligations, the Information Commissioner’s Office (ICO) can investigate your organisation. The ICO will issue a letter informing you of their investigation. It is unwise to ignore or delay responding to the ICO as this can lead to further penalties for your business. Following an investigation, the ICO will send a decision notice that may require your business to amend the breach. You have 35 calendar days to respond. If you believe your business was not in breach, you can appeal the decision but it is advisable to speak to a lawyer. 

If you need help with data protection rules and ICO correspondence relating to alleged breaches of data protection rules, LegalVision’s experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Are there any other risks in non-compliance with a decision notice?

Technically, failure to comply with a decision notice is contempt of court, so non-compliance can potentially result in a severe fine.

How common are monetary penalties from the ICO?

Aside from significant breaches, the ICO tends to try and give organisations the chance to remedy their breach through instructions within decision notices. However, any failure to comply with a decision notice within 35 calendar days makes a monetary penalty much more likely.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards