by Robert Maddox and Aisling Cowell

In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance with data protection laws.

Such inspections can be stressful and complex for businesses to respond to, with a risk of criminal liability for failing to cooperate properly.

Here, we examine the ICO’s powers to conduct dawn raids, how those powers have been exercised in the past, and outline the steps which businesses should consider taking to prepare effectively for – and appropriately respond to – dawn raids.

What is a dawn raid?

A dawn raid is an inspection of a business’ premises conducted without notice. They are typically only used by the ICO where less intrusive measures (such as information notices) have been tried but have failed.

When can the ICO conduct a dawn raid?

The ICO must obtain a court warrant to conduct a dawn raid. There are two grounds for obtaining such a warrant:

1. The Information Commissioner has reasonable grounds to suspect that either:
   • a data controller has failed to comply with certain requirements under the Data Protection Act 2018 (“DPA 2018”) or UK GDPR, covering nearly all substantive obligations; or
   • an offence under DPA 2018 has been committed (e.g., unlawfully obtaining personal data); and
   • the court is satisfied that there are reasonable grounds to suspect that evidence of the failure or commission of the offence is to be found on the premises.
2. If a judge is satisfied that a data controller or data processor has failed to comply with an assessment notice issued by the ICO, the judge may grant a warrant.

In either case, for an inspection without notice to take place, the court must be satisfied that giving notice to the relevant business or individual would defeat the object of the inspection or that the ICO requires entry to the premises on an urgent basis.

Once a warrant has been issued, there is a statutory presumption that the powers of forcible entry, seizure and inspection will be exercised by the ICO within seven days, and that the raid will be carried out within normal UK business hours. The ICO can only enter premises outside of “reasonable hours” if it has reasonable grounds to believe that inspecting the premises during business hours would defeat the purpose of the investigation.

What powers does the ICO have during a dawn raid?

The ICO is empowered to:

• Enter and search a business’ premises;
• Inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data;
• Inspect and seize any documents/material found on the premises which may enable the ICO to determine whether the business has complied with data protection legislation, or which may be evidence of a failure or offence under that legislation;
• Require any person on the premises to provide an explanation of any document or other material; and
• Require any person on the premises to provide such other information as is reasonably required for the purpose of the investigation.

What happens after a dawn raid?

Following a dawn raid, the investigators may still request further information, for example by issuing an information notice to clarify questions arising from the raid. If the raid has unearthed evidence of wrongdoing, the ICO’s may use bring enforcement action against the business.

How has the ICO utilised dawn raids in the past?

The ICO does not publish a comprehensive list of dawn raids it has carried out. Based on press statements and annual reports to Parliament, it appears that the ICO has secured a total of 15 confirmed search warrants since the scope of its power to carry out dawn raids was extended to all businesses in 2018.

The most high-profile ICO dawn raid to date was the 2018 search of the offices of political analytics firm, Cambridge Analytica as part of an investigation into claims that Cambridge Analytica had illegally acquired Facebook data and used it for political campaigns. In that instance, the ICO successfully persuaded the court that there were reasonable grounds for suspecting that Cambridge Analytica had breached (i) GDPR Principle 1 (that personal data should be processed lawfully and fairly) and (ii) Principle 7 (that appropriate technical and organizational measures shall be taken against unauthorised or unlawful processing of personal data), as well as (iii) committing an offence contrary to s55 Data Protection Act 1998 (i.e. unlawfully obtaining personal data).

On this basis, a search warrant was issued under the (previous) Data Protection Act 1998. A search of Cambridge Analytica’s headquarters began less than one hour after this warrant was issued. Following a significant investigation, the ICO did not bring proceedings against Cambridge Analytica, which had then ceased trading.

What can businesses do to prepare for dawn raids?

Businesses may want to consider taking the following pre-emptive steps to ensure that they are prepared for a dawn raid by the ICO (or any enforcement agency):

• Ensure that front desk staff know who to call if investigators arrive. Businesses may wish to create a list of key personnel who must be informed immediately if an enforcement agency arrives to conduct a dawn raid. This will likely include legal advisors, communications specialists, and representatives of the organisation’s management.
• Appoint a dedicated “dawn raid response team” to manage and coordinate engagement with investigators. Ideally, this team should be led or supported by the businesses’ data protection officer (“DPO”) and a senior manager.
• Train key staff on protocols and procedures for dawn raids. In particular, businesses may want to ensure that staff are aware of how to verify the validity of search warrants and keep adequate records. Staff should also be trained on how to cooperate appropriately with investigators. More widely, businesses should ensure that all staff receive sufficient data protection training so that data protection practices stand up to external scrutiny.
• Ensure that, where possible, privileged materials are segregated from other materials. Dawn raid investigators should not conduct a review of privileged materials. Therefore, where possible, such materials should be segregated from other documents and clearly marked as “Privileged & Confidential”.

How should businesses respond to a dawn raid?

In the event a raid by the ICO, businesses may wish to consider the following:

• Immediate response. Businesses should first verify the identity and authority of the investigators, confirming the validity of any warrant, nominating an employee to be responsible for coordinating with the agent in charge, and alerting legal counsel.
• Record keeping. If possible, businesses should request that an employee or member of the legal team accompanies the investigators during their search of the premises. These individuals should be familiar with the businesses’ dawn raid response plan (if one exists) and the mandate of the investigation. Written records should be kept of where the investigators visited, who they spoke to, what statements were made and what records were inspected or removed.
• Intentionally obstructing a dawn raid is a criminal offence. To properly cooperate with the ICO, businesses who are the subject of a dawn raid should: (i) take steps to preserve potentially relevant documents – for example, by identifying likely custodians and notifying them not to destroy any files; and (ii) coordinate with their IT department to put restrictions in place to reduce the risk of inadvertently deleting records and preserve backups as needed. At the same time, businesses should typically not consent to a broader search than the warrant prescribes and should likely avoid providing answers to detailed questions (except the location of documents) without advice from lawyers.
• Privileged documents. If the ICO attempts to access or seize documents which are believed to be privileged, the names of these documents should be noted down and an objection logged with the ICO.

Robert Maddox is an International Counsel and Aisling Cowell is an Associate at Debevoise & Plimpton LLP. This post first appeared on the firm’s blog. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).