Data protection and internal investigations
Data protection and internal investigations

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Data protection and internal investigations
  • Lawful ground for processing
  • Consent
  • Compliance with a legal obligation
  • Legitimate interests
  • Special category data
  • Criminal convictions data
  • Regulatory restrictions on international data transfer
  • Adequacy decision
  • Appropriate safeguards
  • More...

Increasingly organisations are being required to conduct investigations to meet their legal obligations. Common scenarios that may trigger an investigation include:

  1. an individual raising a concern internally via a whistleblowing hotline or otherwise (whistleblower)

  2. a response to a regulatory or criminal agency demand

  3. part of due diligence in advance of a merger or acquisition

  4. a civil litigation claim

  5. an internal or external auditor’s report

  6. media reports

  7. an external allegation, eg from a customer or counter-party

One of the most challenging areas for multinational businesses is a heightening of the conflict already felt between data protection laws and requirements imposed by legislation aimed at tackling financial crime. For example, under the Bribery Act 2010, the burden of proof is effectively reversed and the company has to prove that it had adequate procedures to prevent those who perform services for it from committing bribery rather than the prosecution prove that it did not. The tax evasion facilitation regime operates in a similar way. This has increased the focus on internal compliance procedures—see Practice Notes: Failing to prevent bribery and Failure to prevent facilitation of tax evasion—compliance issues.

Data protection law has been strengthened too. The UK General Data Protection Regulation (UK GDPR) makes these conflicts more acute and the Data Protection Act 2018 (DPA 2018) introduced additional criminal offences that may be relevant when conducting an internal investigation—see

Related documents:

Popular documents