ICO Investigations & Internet Solicitors


The Data Protection Act (DPA) creates a number of criminal offences that can only be instituted by the Information Commissioner or with the consent of the Director of Public Prosecutions (DPP). The most relevant DPA offences to consider are:-

Unlawful obtaining etc. of personal data – s.55(1) and 55(3) DPA 1998

It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller.

Selling and offering to sell personal data – s.55(4) and 55(5) DPA 1998

If a person has obtained personal information illegally, it is an offence to offer or to sell that personal information. For the purposes of section 55(5) DPA, an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

Prohibition on processing personal data without registration- s. 17 DPA 1998

The DPA contains a number of notification offences. This is where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing.

Personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner.

Sentences – unlimited fine

Cases can be heard in either the Magistrates Court or the Crown Court with a maximum sentence in either Court of an unlimited fine.

As the body responsible for enforcing and overseeing the DPA 1998, the ICO enjoys enforcement powers quite separate from the court. The Information Commissioner can impose a fine (up to a maximum of £500,000) for serious contraventions of the DPA 1998.

Sentences – imprisonment

Some have called for stronger sentencing powers and for breaches of the Act to carry a possible sentence of imprisonment. However, there already are offences which carry custodial penalties for which those who breach section 55 of the DPA 1998 can be convicted. A person who has breached section 55 could, dependant upon the facts, be prosecuted for:

  • Unlawful interception of communications  – Regulation of Investigatory Powers Act 2000;
  • Unauthorised access to computer material – Computer Misuse Act 1990;
  • Fraud by making a false representation – Fraud Act 2006; or
  • Misconduct in a public office contrary to the common law.

Investigation & prosecution

If you are facing an investigation or prosecution for an alleged breach, the early intervention of a specialist solicitor is a must. Our data protection and regulation law team has dealt with many cases where their timely advice and assistance has ensured a much better outcome for the client.

It is often the case that an unrepresented business will say or do things which prejudice the future defence of their case. We will assist from the very beginning of an investigation and avoid this. We will liaise with the regulator to obtain full disclosure.  Our experienced team will then provide strong guidance on how to deal with investigations, formal interviews under caution and any subsequent court appearances.

We aim to protect you and your business from the potential negative outcomes of an investigation or prosecution. This can often be critical as the consequences of getting it wrong can include significant financial penalties, damage to the reputation of the business, loss of business and possible prison sentences.

Therefore the stakes are high and at Lupton Fawcett, we are able to obtain the very best result for a business by carefully managing all aspects of an investigation. When dealing with an investigation we can often avoid a subsequent prosecution or conviction and the negative consequences of the same. If this is not possible then we aim to ensure that the most lenient sentence is achieved and that the negative consequences of this are limited.

Directors, members and other company officers

Directors and other officers of companies who have committed offences, under the DPA 1998, can become liable for prosecution. Where it is shown that a company has committed an offence and it is proved to have been committed with the consent, connivance of, or due to any neglect on the part of a director or other officer, that person will be guilty of the offence in addition to the company itself That person becomes liable to being sentenced personally.

This principle also applies to the members of a company which is managed by its members.


If your organisation becomes aware of a data breach, then a decision needs to be made as to whether or not to report it to the regulator and/or to anyone affected by the breach.

At present, for most businesses, there is no mandatory obligation to report breaches to the ICO, and no fixed penalty for not doing so.

Whilst it might be beneficial for a company’s reputation to remain silent, self-reporting is currently a factor that will be taken into consideration by the ICO if the breach is later discovered and the ICO considers what enforcement action to take (if any). The cooperation of self-reporting may result in a lower or no financial penalty being imposed.

When the GDPR comes into force the position on self-reporting will change. Businesses will be obliged to self-report without undue delay if they become aware of a serious personal data breach. A breach will be deemed as serious if it is likely to result in a risk to the rights and freedoms of individuals.

At Lupton Fawcett, we can advise you from the offset as to the best ways to prevent, manage and control data breaches and how to deal with the fallout of any such breach.

How Lupton Fawcett can help you

We have experienced Data Protection Solicitors ready to answer your enquiries about any data protection law issues via email or telephone.

Lupton Fawcett are a leading personal and commercial law firm in Yorkshire with well-established offices of highly experienced solicitors in Leeds, Sheffield and York.

We provide a personalised service, with sector specialists and extensive resources to ensure we are giving you the best solutions to your problems.

Within every area of law, we put your interests first.

Our specialist ICO Investigation Lawyers work regularly with clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.

We can support your needs wherever you live in England, Wales, Northern Ireland and Ireland.

We will always respond promptly, and we will be happy to help.

Jeremy Scott and the Regulatory team are available 24/7 on 07971 520407 to advise and assist you.

Please call now for a free, no obligation discussion of your case.

Why Choose Lupton Fawcett?

Having advised and supported many local families, individuals and businesses, we are proud to offer clients a dedicated service from specialist solicitors who are experts in their field:

We're Award Winning

Multi-award winning - Yorkshire Team of the Year, Regional Employment Team of the Year, Employment Law Lawyer of the Year

We're Connected

We're connected to the people, businesses and infrastructure throughout Yorkshire

We Put You First

You can be sure to expect superb client service from us. Our clients are our priority

We're Your Law Firm

Your problems are real but how we approach them makes all the difference

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at law@luptonfawcett.law

  • This field is for validation purposes and should be left unchanged.