United Kingdom

DPP Law Ltd.

70,300 €

GDPR enforcement action by Information Commissioner (ICO) on 2025-04-14.

Rank · Sector

#108

of 322 in Finance, Insurance and Consulting

Rank · United Kingdom

#23

of 28

Rank · All fines

#568

of 3,042

Case details

Authority: Information Commissioner (ICO)
Date: 2025-04-14
Controller / Processor: DPP Law Ltd.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 (1) f) GDPR, Art. 32 (1), (2) GDPR, Art. 33 (1) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The UK DPA (ICO) has imposed a fine of £ 60,000 (EUR 70,300) on the law firm DPP Law Ltd. The controller had suffered a cyber attack during which personal data of 791 clients and expert witnesses were exfiltrated and published on the dark web.

The DPA found that the controller failed to implement adequate technical and organisational measures to prevent such an attack, including the failure to regularly audit administrative accounts on its network, thereby infringing Art. 5 (1) f), 32 (1), and 32 (2) UK GDPR.

The controller also breached Art. 33 (1) UK GDPR by failing to notify the DPA within 72 hours, reporting the incident only 43 days later.

Open original source Links to the regulator's original publication or another source.