SSAIB Accredited by ICO: What This Means for UK Investigators

SSAIB Accredited by ICO: What This Means for UK Investigators

The Information Commissioner’s Office has formally accredited the Security Systems and Alarms Inspection Board (SSAIB) as the first monitoring body under Article 41 of the UK GDPR for the ABI UK GDPR Code of Conduct. This development moves the code beyond approval and into a position where it can begin operating with independent oversight.

The ABI (Association of British Investigators) UK GDPR Code of Conduct was originally approved under Article 40, providing a structured framework for investigative and litigation support services. However, without an accredited monitoring body, its practical application remained incomplete. That position has now changed. With SSAIB in place as the independent monitoring body, the code has the oversight required to move towards formal operation, with applications expected to open from May 2026.

While the ABI UK GDPR Code of Conduct is aimed at investigators, its impact extends directly to solicitors and organisations that instruct them. It introduces clearer expectations, tighter controls, and a stronger emphasis on accountability across the entire instruction chain.

A Shift From Guidance to Active Oversight

One of the most important developments is the move from general guidance to a formal, auditable framework with accredited independent oversight.

When the ABI UK GDPR Code of Conduct was first approved, it signalled a shift towards more structured compliance. With SSAIB now formally accredited by the ICO, that structure has real operational weight behind it. Oversight is no longer theoretical. The mechanism required to monitor compliance, handle complaints, and support enforcement is now in place.

For investigators, this means compliance must be demonstrable, not assumed. Policies, decisions, and risk assessments will need to be documented and capable of review.

For solicitors, the shift raises expectations around due diligence. Instructing an investigator is no longer a low-risk outsourcing exercise. There is increasing emphasis on ensuring that third parties operate within a recognised compliance framework. If issues arise, attention is unlikely to stop with the investigator alone.

Why SSAIB’s Accreditation Matters

The accreditation of SSAIB is a major milestone because Article 41 requires approved codes of conduct for private or non-public authorities to have an independent monitoring body in place.

SSAIB’s approval by the ICO confirms that it has demonstrated the required levels of independence, expertise, and governance to perform that role. More importantly, it gives the ABI UK GDPR Code of Conduct the infrastructure it needs to function as intended.

For the sector, this creates a clear route for organisations to demonstrate accountability. For clients and the public, it provides greater confidence that compliance is being independently assessed rather than self-declared.

Controller vs Processor: Why This Now Matters More

The code places strong emphasis on correctly identifying whether an investigator is acting as a controller, joint controller, or processor. This assessment must be made before any work begins and cannot be decided purely by contract.

In many cases, investigators will be deemed controllers or joint controllers because they exercise discretion over how information is obtained and processed. This is a notable shift from the common assumption that investigators act as processors.

For solicitors, this has practical consequences. Data sharing arrangements may often be controller-to-controller rather than processor-based. This affects contractual terms, responsibility for compliance, and liability in the event of a breach. It also means solicitors cannot rely on simple processor agreements to manage risk.

DPIAs Are Now Central to Investigative Work

Data Protection Impact Assessments are positioned as a core requirement within the ABI UK GDPR Code of Conduct, particularly where processing is likely to be high risk. This includes surveillance, covert activity, use of sensitive data, or cases involving vulnerable individuals.

The expectation is that DPIAs are carried out in advance, properly documented, and tailored to the specific circumstances of each investigation.

For solicitors, this introduces an additional layer of consideration before instructions are given. In higher-risk cases, there may be a need to confirm that a DPIA has been completed or to understand the conclusions reached. Where roles overlap, there may also be shared responsibility for ensuring that risks have been properly assessed.

Legitimate Interests Under Greater Scrutiny

Legitimate interests remains a key lawful basis for investigative work, but the ABI UK GDPR Code of Conduct raises the standard for how it is applied. Investigators are expected to carry out and document a Legitimate Interests Assessment, addressing purpose, necessity, and the balance between business interests and individual rights.

This is not a formality. The balancing exercise must be evidence-based and capable of withstanding scrutiny.

For solicitors, reliance on legitimate interests becomes more complex. There is a risk in assuming that the investigator’s assessment is sufficient without understanding how it has been reached. In higher-risk matters, it may be necessary to seek assurance that the lawful basis has been properly considered and documented.

Invisible Processing and Covert Activity

The ABI UK GDPR Code of Conduct addresses invisible processing directly, recognising that much investigative work involves collecting information without the knowledge of the individual concerned. This includes surveillance, online monitoring, and certain forms of background research.

Such activity is not prohibited, but it is tightly controlled. It must be necessary, proportionate, and justified in the specific context. The reasoning behind any decision to proceed must be clearly documented.

For solicitors, this is an area of increased exposure. Instructions involving covert techniques require careful consideration. It is no longer sufficient to rely on the investigator’s judgement alone. The rationale for using such methods should be clear at the point of instruction, with an understanding of why less intrusive alternatives are not appropriate.

Claimed Compliance vs Verified Compliance

It is increasingly common to see investigators describe their services as “compliant with” or “working to” the ABI UK GDPR Code of Conduct. While these phrases may suggest alignment with the code’s principles, they do not in themselves demonstrate that those standards are being met in practice.

The introduction of SSAIB as the independent monitoring body changes this distinction significantly.

Under the framework established by the code, compliance is not based on self-declaration, but rather assessed through an independent audit process designed to test whether policies, procedures, and real-world practices meet the required standard.

Successfully passing an SSAIB audit provides objective evidence that an organisation is operating in line with the code. It is, in effect, a formal fact check of compliance claims.

Monitoring, Audits and Enforcement

This is where the most tangible change has occurred. With SSAIB now accredited by the ICO, the monitoring framework required under Article 41 is in place.

Organisations that apply under the code will be subject to independent review, alongside a formal complaints process and ongoing oversight. Where issues are identified, outcomes may include corrective actions, retraining requirements, suspension, or removal from the code.

SSAIB is expected to begin accepting applications from May 2026, marking the point at which the code transitions from an approved framework into active use.

For solicitors, membership of the code is likely to become an increasingly important indicator of compliance standards. While not mandatory, it provides a level of assurance that an investigator is operating within a recognised framework that is subject to independent monitoring.

Conclusion

The ABI UK GDPR Code of Conduct has already raised the standard for data protection across the investigations sector. The ICO’s accreditation of SSAIB as the first monitoring body under Article 41 takes that a step further.

For investigators, the focus is on structure, documentation, and defensible decision-making. For solicitors, the impact is just as significant. The way investigations are instructed, assessed, and relied upon must now evolve in line with a code that has independent oversight and a clear path to operation.

Those who adapt early will be better placed to manage risk, demonstrate accountability, and build trust in an area receiving increasing regulatory attention.

FAQs

What has changed most recently?

The ICO has accredited SSAIB as the independent monitoring body for the ABI Code, allowing it to move towards formal operation.

Does the ABI UK GDPR Code of Conduct apply to solicitors?

The code is aimed at investigators, but it directly affects solicitors by shaping how investigations are instructed and managed.

Can investigators still be treated as processors?

In some cases, yes. However, many investigative activities involve enough independence to make the investigator a controller or joint controller.

Do all investigations require a DPIA?

Not all, but many will where there is a higher risk to individuals, such as surveillance or use of sensitive data.

Can legitimate interests still be relied on?

Yes, but it must be supported by a clear and well-documented assessment.

Should solicitors prioritise firms signed up to the code?

It is not mandatory, but it is likely to become a strong indicator of good practice, particularly now that independent monitoring is in place.