Privacy & Information Security Law Blog

On October 31, 2025, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Data Protection Enforcement Procedural Guidance (the “Guidance”).  The draft Guidance sets out the ICO’s updated procedures for investigations and enforcement under the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”).  Amongst other things, it reflects changes introduced by the UK Data (Use and Access) Act 2025, such as the expansion of the ICO’s investigatory powers.

Once finalized, and alongside the ICO’s existing Data Protection Fining Guidance, the Guidance will constitute updated statutory guidance regarding regulatory action that the ICO is required to publish under section 160(1) of the DPA 2018. It will replace earlier guidance regarding information notices, assessment notices, enforcement notices, penalty notices, and privileged communications set out in the 2018 Regulatory Action Policy.

The draft Guidance offers a comprehensive roadmap of the ICO’s approach to investigations and enforcement, including:

• Initiating Investigations: Details how potential cases come to the ICO’s attention (such as through complaints, data breach reports, the media, whistleblowers, and other regulatory bodies) and the criteria for deciding whether to investigate, as well as alternative ways to address compliance issues.
• Investigation Process: Describes what organizations can expect during an investigation, from case opening to information gathering and decision-making. It also details the ICO’s power to announce an investigation on its website and instances where it will not do so, such as if the investigation is particularly sensitive.
• Information Gathering Powers: Explains how the ICO may issue information notices, assessment notices, and interview notices, and outlines powers of entry and inspection.
• Limits on Investigatory Powers: Discusses legal constraints, including protections for privileged communications, self-incrimination, and special considerations for processing for journalistic, academic, artistic or literary purposes.
• Concluding Investigations: Sets out potential outcomes of investigations, ranging from formal enforcement action to informal resolution, and details the process for each statutory enforcement power.
• Warnings and Reprimands: Explains procedures for issuing warnings or reprimands when actions or existing practices of an organization raise compliance concerns.
• Enforcement and Penalty Notices: Details the statutory requirements for issuing enforcement and penalty notices, including when oral representations are considered and what happens if notices are not complied with. The ICO noted that this should be read alongside the existing Data Protection Fining Guidance.
• Settlement Procedure: Introduces a formal settlement process for cases warranting penalty notices, drawing on experience from past investigations.  It clarifies that settlements are at the discretion of the ICO.
• Appeals: Summarizes the rights of appeal available to organizations subject to statutory notices.

The ICO invites feedback on the draft Guidance through a 12-week public consultation, open until January 23, 2026 (view the consultation).

Read the press release.