On 3 September 2025, Jason Blake, the director of a care home, stood before Beverley Magistrates Court. His offence? Ignoring a single data subject access request. The result? A criminal conviction and a public fine.

The ICO investigated and found that Mr Blake had breached his legal obligations under Section 173 of the Data Protection Act 2018, a criminal offence involving the concealment of information to prevent disclosure.

This was not a data breach. It was not a cyberattack. It was a failure to follow basic data protection procedure, and it ended in a courtroom.

GDPR enforcement is real. And for financial services firms, the risks are considerably greater.

How Financial Firms Attract ICO Scrutiny

Financial firms are particularly vulnerable to ICO attention because of the volume and sensitivity of personal data they process, client financial histories, transaction records, investment profiles, and more. There are four primary pathways to regulatory scrutiny.

Direct complaints from individuals Clients or employees can lodge complaints about mishandled personal data, delays in responding to DSARs, inadequate responses, or persistent unsolicited marketing in breach of PECR. In financial services, complaints often stem from unauthorised sharing of investment profiles or failure to honour opt-out requests.

Media exposure High-profile coverage in outlets such as the Financial Times or BBC can amplify regulatory pressure rapidly. Stories about data breaches involving customer accounts, or algorithmic bias in lending decisions, can trigger ICO interest even without a formal complaint.

Internal referrals within the ICO If one ICO team identifies red flags, during a routine audit or a cyber incident report, they may escalate to specialist units. This is particularly relevant where financial regulation and data protection overlap.

Self-reporting Proactively notifying the ICO about a breach or compliance issue can itself initiate an investigation. In financial services this may involve phishing attacks on banking systems or leaks of AML data.

Even if a complaint does not lead to formal enforcement, it is recorded and contributes to your firm’s compliance profile. The ICO may request clarifications, recommend policy improvements, or in serious cases pursue regulatory action.

How the ICO Investigates

If scrutiny intensifies, your case may involve several ICO specialist teams:

Civil Investigations Team (CIVIT) handles non-criminal GDPR violations, such as inadequate data security in client onboarding.

Criminal Investigations Team (CRIT) investigates offences including unlawful disclosure of personal data or altering records to evade disclosure. They can execute search warrants, a scenario with the potential to disrupt operations across back, middle and front office.

Cyber Incident Response Team (CIRIT) focuses on breaches such as ransomware attacks on financial databases.

Privacy and Digital Marketing Investigations Team (PDMI) addresses spam and unsolicited communications, common in cross-selling financial products.

Financial Investigation Unit (FIU) pursues unpaid fines and ensures accountability for non-compliance.

Case officers assess the severity of the breach, the sensitivity of the data involved, the number of individuals affected, your response speed, and your overall compliance history. In financial services, where data obligations intersect with FCA rules and AML requirements, these assessments are particularly rigorous.

ICO enforcement tools range from advisory recommendations to binding notices requiring immediate action, or fines of up to 4% of global annual turnover or €20 million, whichever is greater.

Aggravating factors the ICO will consider include:

• Insufficient technical measures, assessed proportionally to the sensitivity of data held

• Lack of DPO independence or inadequate DPO training

• Poor staff awareness and insufficient training programmes

• Prior infringements

• Limited cooperation with the investigation

• Inadequate mitigation efforts

Litigation Risk: Beyond the ICO

Even without ICO action, individuals can sue for compensation under GDPR Article 82, claiming non-material damages, such as distress arising from a data leak affecting their credit score.

Legal professionals at a leading international City law firm have flagged inadequate training as a critical vulnerability, one that strips firms of their first and most effective line of defence in regulatory investigations. Courts will scrutinise your compliance culture. Robust, documented training for DPOs and staff is a tangible legal defence, not just a regulatory box-tick.

5 Signs Your Privacy Training Is a Liability

1. Your DPO cannot explain how GDPR overlaps with FCA rules In financial services, data protection does not operate in isolation. If your DPO cannot articulate how GDPR interacts with Consumer Duty, SM&CR, or FCA operational resilience requirements, your training has gaps.

2. Training has not been updated since 2022 The regulatory landscape has changed significantly. The Data (Use and Access) Act 2025, updated ICO guidance, and the intersection of AI with data protection all require your training to reflect the current environment.

3. Staff cannot recognise a DSAR A data subject access request does not need to use formal language. If your front-line staff do not know how to identify one and escalate it correctly, you are exposed.

4. You rely on generic e-learning modules Off-the-shelf data protection training does not address the specific scenarios your teams face, from client investment data to AI-assisted decisions. Generic training is not a defence.

5. You have no documentation of DPO advice or training logs If you cannot evidence that training happened, that advice was given, and that issues were recorded and addressed, you cannot demonstrate a compliance culture to either the ICO or a court.

Building a Resilient Compliance Culture

To handle individual requests efficiently and stay ahead of ICO scrutiny, financial firms need a proactive approach:

• Maintain up-to-date, sector-specific policies that reflect FCA and GDPR obligations together

• Empower your DPO with the resources, authority, and independence to do their job

• Document all training, advice, and remedial actions, if it is not written down, it did not happen

In financial services, where GDPR overlaps with FCA principles, AML directives, and increasingly with AI governance requirements, generic training is not sufficient. Tailored, documented, regularly updated training is what turns a potential vulnerability into a compliance strength.

To find out more about sector-specific GDPR training for financial services firms, AI governance training, or AI vendor risk assessments, visit digitalregs.com.

References: [1] Jason Blake, ICO [2] & [3] Investigations, ICO [4] Relevant aggravating and mitigating factors, ICO