by Robert Maddox and Aisling Cowell
In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance with data protection laws.
Such inspections can be stressful and complex for businesses to respond to, with a risk of criminal liability for failing to cooperate properly.
Here, we examine the ICO’s powers to conduct dawn raids, how those powers have been exercised in the past, and outline the steps which businesses should consider taking to prepare effectively for – and appropriately respond to – dawn raids.