What Solicitors Should Expect Under the ABI UK GDPR Code of Conduct

What Solicitors Should Expect Under the ABI UK GDPR Code of Conduct

With SSAIB now formally accredited by the ICO as the monitoring body for the ABI UK GDPR Code of Conduct, the question for solicitors is no longer just what the code says, but what it should now look like in practice.

That recent development matters because it moves the ABI (Association of British Investigators) UK GDPR Code of Conduct beyond approval alone and into a position where it can begin operating with independent oversight. For solicitors, that makes the code more than a useful benchmark. It makes it a more practical indicator of what standards they should expect when they instruct an investigator.

That is where the ABI UK GDPR Code of Conduct is especially helpful. It does not just set out standards for investigators, it also gives solicitors a clearer sense of what they should expect when they instruct one. Not in theory, but in the day-to-day handling of a matter.

For firms that already work with professional, well-governed investigators, much of this will feel familiar. The difference is that the ABI Code now sits within a more complete framework, with accredited monitoring behind it. It gives clearer shape to the way investigations should be scoped, justified, documented and delivered.

A good investigator should want a clear brief

One of the clearest messages in the Code is that an investigation should start with a defined purpose. That sounds obvious, but it matters.

A well-prepared investigator should not be looking for a vague instruction and a free hand. They should want to know what the issue is, what the objective is, and how the information gathered is going to be used. This makes sure the work is targeted and proportionate from the outset.

For solicitors, that is a useful benchmark. If an instruction can be narrowed, clarified or better framed, that is usually a sign of a careful approach rather than an obstructive one.

Solicitors should expect investigators to understand their role properly

One of the areas the ABI UK GDPR Code of Conduct deals with more clearly is the question of whether an investigator is acting as a controller, joint controller or processor.

That matters because, in practice, investigators are often doing more than simply following a script. They are applying judgement. They are deciding how best to obtain information, what steps are appropriate, and how a matter should be progressed. In many cases, that means their role is more independent than some clients may assume.

Solicitors should expect a competent investigator to have thought this through. Not as a box-ticking exercise, but as part of understanding how the work is being carried out and where responsibility sits. That conversation is part of a mature instruction process.

Lawful basis to be built into the work, not added later

The ABI Code of Conduct also reinforces something that has always mattered in this space: if personal data is being processed, there must be a sound legal basis for doing so.

From a solicitor’s point of view, the important thing is not that every instruction comes with a lecture on data protection. It is that the investigator has a proper rationale for the work being undertaken and can explain it if needed.

That is especially relevant in cases where the facts are sensitive, the subject matter is contentious, or the methods involved are more intrusive. A good investigator should be able to show that the work has been thought through properly and is not simply being justified after the event.

A proportionate approach, not an expansive one

One of the strengths of the ABI Code of Conduct is that it supports a more disciplined approach to investigations. That matters because the best investigations are rarely the widest ones. They are the ones that stay close to the issue they are meant to resolve.

For solicitors, this means expecting investigators to use methods that fit the task. If a matter can be advanced through limited and proportionate enquiries, that should be the starting point. There should be a clear link between the instruction given and the method used.

That is good practice in any event, but the Code makes it easier to see it as part of a wider professional standard.

With SSAIB now accredited to monitor compliance under the code, proportionate decision-making is likely to become an even more important feature of what good investigative practice looks like.

Solicitors should expect proper thought to be given to risk

Not every investigation is high risk, but some plainly are. The ABI UK GDPR Code of Conduct recognises that and gives proper weight to risk assessment, particularly where surveillance, sensitive data, vulnerable individuals or more complex fact patterns are involved.

From a solicitor’s perspective, that should translate into confidence that an investigator is not just focused on getting an answer, but on how that answer is obtained. In the right cases, that will involve a structured assessment before work begins. It may involve a DPIA. It may involve careful consideration of whether a particular line of enquiry is justified at all.

The recent accreditation of SSAIB adds practical significance to that. A framework that includes independent monitoring naturally places greater importance on showing that risks have been considered in a structured way.

Trace work to be handled carefully

One of the more practical areas covered by the ABI UK GDPR Code of Conduct is trace and locate work. This is useful because tracing is often treated as straightforward when, in reality, it can raise distinct questions about collection, verification and disclosure.

For solicitors, the key point is that a good investigator should have a clear process for how trace work is undertaken and how the result is handled. That includes understanding what can be established, how reliable it is, and what steps may need to be taken before information is passed back.

As the code moves towards formal operation, this kind of disciplined handling becomes more than a mark of good habits. It becomes part of the standard solicitors should increasingly expect from investigators working within a recognised framework.

Careful handling of sensitive information

Investigations can involve information that is inherently delicate, whether that is health data, family circumstances, financial issues, allegations of dishonesty or potential criminal conduct.

The ABI UK GDPR Code of Conduct raises the bar here in a sensible way. It underlines the need for proper safeguards, defined justification and disciplined handling.

For solicitors, that means expecting investigators to recognise the difference between information that is simply useful and information that requires a more considered approach. It also means expecting them to collect no more than is needed and to handle what they do collect securely and responsibly.

Solicitors should expect a proper record of the decisions made

A strong investigation file is not just about results. It should also show how those results were reached.

That is one of the most important practical effects of the ABI UK GDPR Code of Conduct. It supports a more auditable approach. Not because every matter is going to be challenged, but because a well-run investigation should be capable of being explained if it is.

Solicitors should expect there to be a clear record of the purpose of the instruction, the broad reasoning behind the approach taken, any relevant risk assessment, and the basis on which information has been obtained and reported. That sort of record is part of making the final product more robust.

This is where professional standards really matter

The firms best placed under the ABI UK GDPR Code of Conduct are likely to be those that already work within structured, disciplined frameworks.

That is where recognised standards become relevant. Information security accreditation such as ISO 27001 speaks to how sensitive material is stored and handled. ISO 9001 says something about the consistency and control behind the process itself. A close relationship with the ABI also reflects engagement with the standards shaping the sector.

For solicitors, those markers are useful. They do not replace judgement, but they do help indicate whether an investigator is operating in a way that is organised, accountable and aligned with the direction of travel in the industry.

What this should mean for solicitors day-to-day

The ABI UK GDPR Code of Conduct does not ask solicitors to become investigators, and it does not require them to supervise every operational detail. What it does do is make it easier to identify the difference between a loosely run instruction and a properly managed one.

A solicitor should now be able to expect an investigator to ask the right questions at the start, understand their role, apply a lawful and proportionate approach, handle sensitive data carefully, and keep a proper record of the work.

That is good for compliance, but it is also good for the quality of the investigation itself. Clearer instructions, better structure and stronger documentation tend to produce more reliable outcomes.

Conclusion

At its best, the ABI UK GDPR Code of Conduct is not about making investigations more complicated, but about making good practice clearer.

That is a positive development for solicitors. It provides a more useful benchmark for what a professional investigation service should look like and what should sit behind the end product.

The real value of the Code is in the standard it helps define, and for solicitors instructing investigators, that standard should now be easier to recognise.

Take a look at a full breakdown of the ABI UK GDPR Code of Conduct in the video below:

FAQs

Does the ABI UK GDPR Code of Conduct change what solicitors should ask at the point of instruction?

It sharpens the focus. A clear objective, proportionate scope and understanding of how the work will be approached are all more important under the Code.

Why does the SSAIB accreditation matter?

It means the ABI Code now has the independent monitoring body required under Article 41, so the framework behind it is more complete and can move towards formal operation.

Is the Code mainly about compliance paperwork?

No. The paperwork matters, but the real point is to support a better-structured and more defensible investigation process.

What does the Code mean for trace and locate work?

It encourages a more clearly defined process around how tracing is carried out and how the resulting information is handled.

Why do accreditations such as ISO 27001 and ISO 9001 matter here?

They are useful indicators that a firm has strong systems around information security, consistency and quality of process, all of which sit comfortably with the standards reflected in the Code.