The ICO exists to empower you through information.

Despite the ICO’s broad and detailed advice and guidance, sometimes action is needed to protect the public and businesses. Our investigations directorate is responsible for investigating potential infringements of:

  • the Data Protection Act 2018;
  • the UK General Data Protection Regulation;
  • Network Information Security (NIS) Regulations 2018; and
  • the Privacy and Electronic Communications Regulations 2003.

We also investigate criminal offences under the Data Protection Act 2018 and the Freedom of Information Act 2000.

Our work is divided into specialist teams as follows:

  • civil investigations (CIVIT);
  • criminal investigations (CRIT) ;
  • cyber incident response and investigations (CIRIT);
  • privacy and digital marketing investigations (PDMIT);
  • financial recovery unit (FRU); and
  • administration support.

We are responsible for investigating civil breaches, contraventions and criminal offences under the laws we regulate. Matters can come to our attention via the organisations themselves, referrals from other ICO departments, the media, or complaints from affected members of the public.

The civil investigation team carries out detailed investigations into non-criminal and non-cyber related infringements of UK GDPR. This can involve using formal powers to obtain evidence, and speaking with senior staff of private companies and public organisations. We have a range of enforcement options available to us in cases where there has been a serious breach of the law. These include enforcement notices,  which are legally binding and monetary penalty notices, which can require organisations to pay a fine of up to 4% of annual revenue or the equivalent of 20 million euros in the most serious of cases, whichever is higher.

The privacy and digital marketing investigation team have responsibility for tackling nuisance calls and messages. We investigate organisations or individuals that make unsolicited marketing calls or send spam texts or emails. We can issue enforcement notices or fine organisations and company officers up to £500,000 in the most serious cases.

The criminal investigation team is responsible for investigating criminal breaches. We have powers to carry out search warrants on domestic or business premises in order to seize and recover evidence.

The financial recovery unit is responsible for the recovery of monetary penalties we have issued for serious contraventions of the Data Protection Act and the Privacy and Electronic Communications Regulations. The team take action to recover any unpaid fines, including formal action such as issuing Statutory Demands, obtaining of Order for Recovery of Awards and the instruction of external lawyers to petition for the winding up of companies or bankruptcy of individuals. Much of the work of the directorate is high profile and our decisions are often published in the media at a local and national level. This requires regular interaction with other internal departments including the press office, as well as liaison with external agencies.