The Information Commissioner's Office (ICO) issued a decision on 16 April 2025 to fine law firm, DPP Law Ltd (DPP) £60,000 for breach of the UK GDPR. This is a timely reminder for law firms to prioritise data protection compliance, especially data security. Many of the failings identified by the ICO could be avoided or substantially mitigated by following the ICO-approved GDPR certification scheme, LOCS:23. For more information see here.
In its decision, the ICO highlighted critical data protection lessons for law firms (and others of course). Here are our top 5 takeaways:
1. Security Failures: DPP failed to implement appropriate technical and organisational security measures. They had not implemented Multi-Factor Authentication (MFA) on a relatively unused legacy admin account with excessive access privileges. They also failed to conduct an appropriate risk assessment and asset management audit, which would have highlighted the security issue. This allowed a cyber attacker to access highly sensitive client data of 791 individuals, which was then exfiltrated and posted on the dark web. Despite having Lexcel accreditation, the firm had not obtained Cyber Essentials at the time of the breach.
Action: Firms should review access controls on all user and admin accounts, carry out appropriate risk assessments, and regularly complete asset management audits. The ICO provides guidance for firms to ensure secure processing of personal data. Please contact us for any assistance you need with this.
2. Delayed Notification: DPP did not notify the ICO within the required 72 hours of becoming aware of the personal data breach, instead reporting it 43 days later. The ICO noted that DPP failed to identify that lack of access to data, in itself created a high risk to the rights and freedoms of individuals, triggering the need to notify the ICO.
There was high risk to the rights and freedoms of DPP’s clients, including:
o Jeopardising ongoing criminal proceedings
o Identifying clients under criminal investigation with a right to privacy
o Identifying victims and witnesses
o Exploitation of clients, based on sensitive information.
Action: Firms should ensure that their personal data breach processes and training programmes, reflect UK GDPR requirements and ICO guidance, including appropriate risk assessments. Please contact us for assistance with personal data breach procedures.
3. Sensitive Data Compromised: The compromised data included highly sensitive information. DPP specialized in criminal defence (including sexual offences), family law, and actions against the police. Clients included vulnerable individuals, children, and victims of sexual offences.
Action: Firms should conduct a risk assessment to understand the data they hold and should ensure appropriate security measures are in place that reflect that risk. More sensitive data requires greater security measures. Please contact us for any assistance you need with this.
4. £60,000 Fine: The decision serves as a reminder of the level of compliance the ICO expects and that sanctions will be applied if required standards are not met. It is a warning to all law firms to ensure that their practices are in order. Failure to do so will be viewed poorly by the ICO in future investigation and action.
The ICO noted that physical, material, and non-material damages were likely to result from the breach, highlighting that financial exposure is not limited to ICO fines, but could include claims from individuals due to anxiety and other impacts.
Action: Firms should review this ICO decision, and use it as motivation to dust off their data protection compliance policies and procedures. They should also ensure relevant and effective security measures, consistent with ICO guidance and industry practice. Please contact us for any assistance you need with this.
5. Compliance with LOCS:23 Certification Standard: This fine relates to a personal data breach that occurred in 2022, predating the ICO’s approval of the LOCS:23 certification scheme in 2024. The ICO's fining guidance now indicates that non-compliance with an applicable GDPR certification scheme, relevant to the organisation (such as LOCS:23, which specifically relates to processing of client data by law firms) would be considered an aggravating factor. Compliance with it would be seen as a mitigating factor. Although the ICO did not mention LOCS:23 in this decision, given the breach occurred in 2022, we expect the ICO to scrutinise compliance with LOCS:23 for breaches occurring following approval of the standard in 2024.
Action: As a LOCS:23 Qualified Consultancy, Pritchetts Law also helps law firms to assess compliance with the LOCS:23 GDPR certification standard. Please don’t hesitate to contact us for more details.
If you would like to discuss your personal data breach response procedures, security measures, or indeed data protection compliance more generally, please get in touch.
We can help with data protection compliance or training of all kinds, as well as with AI compliance.
+44 (0) 117 307 0266
info@pritchettslaw.com
