ICO’s draft enforcement guidance: what does the guidance tell us about the ICO’s proposed approach to enforcement?

Last month, the UK’s Information Commissioner’s Office (ICO) launched a consultation on its new Data Protection Enforcement Procedural Guidance. This guidance is intended to replace the ICO’s Regulatory Action Policy (RAP), which was first issued in November 2018, and will sit alongside the ICO’s Data Protection Fining Guidance (updated in March 2024). 

Overview

The consultation and draft guidance mark a shift from the high-level approach set out in the RAP. It sets out in greater detail how the ICO will exercise its investigatory and enforcement powers, including its new investigatory powers introduced under the Data (Use and Access) Act 2025 (DUAA). The guidance covers the processes for existing powers such as opening investigations, issuing warnings, reprimands, enforcement notices, and penalty notices but also introduces a structured settlement procedure and clarifies rights of appeal.

According to the ICO: 

“The purpose of the new draft guidance is to provide organisations with more detail about our approach to give greater transparency and certainty about how we use our investigatory and enforcement powers.”

The ICO consultation seeks stakeholder feedback on the draft procedural guidance and has asked them to comment on the processes outlined within it. The consultation period runs for almost 12 weeks and closes on 23 January 2026, with final guidance expected later next year.

Scope and underlying principles

The draft guidance is primarily aimed at organisations that process personal data within the scope of the UK GDPR and DPA 2018 (i.e. controllers and processors). However, it may be of wider interest to those seeking to understand how the ICO uses its statutory powers to investigate and enforce compliance with data protection legislation. 

It explains that the ICO’s investigatory and enforcement powers include:

• requiring information and documents;
• conducting assessments of compliance, including via inspections;
• requiring individuals to attend interviews and answer questions;
• entering and inspecting premises under warrant; and
• issuing warnings, reprimands, enforcement notices, and penalty notices.

The guidance and any regulatory decision is underscored by the ICO’s principal objective to 

1. “secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest; and 

2. promote public trust and confidence in the processing of personal data”.

Importantly, the guidance is not a definitive statement of law but sets out the ICO’s general approach. It is designed to be flexible, allowing departures where justified, provided the ICO acts fairly and reasonably.

The ICO notes that it does not explain the process followed for prosecuting criminal offences beyond its information-gathering powers – for more information on this, see their prosecution policy statement.

What’s changing?

Some of the key differences between the RAP and the new draft guidance include:

1. Procedural Detail

The RAP presented a high-level policy framework which emphasised deterrence, consistency and proportionality, with sections on aims, objectives, hierarchy of regulatory action, and statutory guidance. 

In comparison, the new draft guidance provides a much more procedural manual with detailed step-by-step processes for enforcement actions such as investigations, notices, settlements, and appeals. The guidance also sets out some of the factors it will consider when making decisions - for example, when deciding whether to open an investigation and what action to take, the ICO will generally consider a number of factors including:

• the risk of harm to people caused by the processing operations (with reference, where appropriate, to the ICO data protection harms taxonomy) and whether the conduct is ongoing;

• the extent to which opening an investigation supports the ICO strategic objectives;

• the resource implications and risks involved in opening an investigation; and

• whether the controller or processor has been subject to previous regulatory action, or if this conduct is repeated.

This new detail highlights the ICO’s desire for transparency about how it enforces compliance with data protection legislation and aligns guidance with its principal objective (see above) to secure an appropriate level of protection for personal data and to promote public trust and confidence in the processing of personal data.

2. Settlement Procedure

The new draft guidance introduces an explicit settlement procedure, including discounts (in the form of reduced fines) for early resolution, whereas RAP does not include a formal settlement framework at all. 

Discounts

The reduced fine will be applied after the penalty notice fine amount is calculated, with the level of discount available being dependent on what stage of investigation the controller or processor enters settlement discussions. Although the ICO will consider settlement discounts on a case-by-case basis, in general the level of discount available will be greater the earlier the settlement process is started with the following maximum amounts in place:

• 40% if a case is settled before the ICO gives a notice of intent;

• 30% if a case is settled after they give a notice of intent but before the ICO receives written representations; and

• 20% if a case is settled after the notice of intent is given and the ICO receives written representations.

When is the settlement procedure offered by the ICO?

The ICO may consider settlement to be appropriate in any investigation into a suspected infringement where they consider that they have a sufficient basis to give a notice of intent to impose a penalty notice. The guidance lists a number of factors that will be taken into account to determine a case’s suitability including:

• whether the ICO has sufficient evidence to impose a penalty notice;

• the procedural efficiencies and resource savings that the ICO considers it is likely to achieve; 

• how likely it is that the case will be settled in a reasonable timeframe; and

• any impact on related matters.

A case may also be found not suitable for settlement for a range of reasons including:

• public policy reasons such as if the infringement was committed intentionally;

• as a result of the attitude and conduct of the controller or processor during the investigation; and

• where the controller or processor indicates that it is willing to settle at a late stage in the investigation and the ICO determined the resource savings from settlement to be limited.

Importantly, the ICO still maintains flexibility in that decisions are made on a case-by-case basis, and both the ICO and controllers / processors still maintain discretion as to when to enter into settlement discussions or settle a case. Equally though, as there is no obligation to enter into the process, neither party can require the other to enter into discussions.

3. What about DUAA?

DUAA includes provisions that supplement the ICO’s existing investigatory and enforcement powers. This includes new powers to send notices by email, compel interviews and request technical reports to be prepared at the expense of the body being investigated. The draft guidance reflects these changes following DUAA, including those provisions that have already come into force as well as those that are expected to do so in the coming months.

In addition, DUAA will bring investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with its powers under UK data protection legislation. It is understood that while some differences will remain between the frameworks in relation to enforcement, the ICO will adopt the same approach as set out in the draft guidance to the use of its powers under PECR.

Interview Notices

These are formal written requests which require an individual to attend an interview at a specified time and place, and to answer questions relevant to an investigation into compliance with data protection law. Its purpose is to obtain oral evidence when written responses or other methods are insufficient, with failure to comply potentially leading to further enforcement action.

The draft guidance indicates that the notice can only be given to controller or processor, one of their employees or anyone involved in their management or control if the ICO suspects that a controller or processor has failed or is failing to comply with data protection legislation. Again, a range of factors will be considered before issuing the notice including whether an interview would help the ICO understand how the data is being processed, especially where it is complex, and if they have previously asked someone to interview voluntarily, but the request was refused.

Reports of Approved Persons

The draft guidance also confirms that the ICO will have the power to compel an organisation to provide a technical report prepared by an approved person (such as an independent expert) as part of its information-gathering toolkit. This may form part of an assessment notice for a controller or processor. The power stems from the ICO’s statutory powers under the Data Protection Act 2018 and DUAA, but we are still awaiting confirmation of when this power will come into force under DUAA.

The ICO must approve the nominated person and may specify terms about how the report is to be prepared. If a controller or processor does not nominate someone, or they are not approved, then the ICO may approve someone that they are satisfied is suitable instead.

The ICO will consider a range of factors, as set out in the guidance, before issuing the assessment notice that imposes a requirement for a report. This includes whether the matter is sufficiently technically complex that it requires specialist skills or resources that the ICO does not have available and whether the report would assist them in identifying, understanding or assessing a specified matter.

4. Enforcement Notices 

Further clarification is provided on enforcement notices and when these can be issued. The ICO can use these where it concludes that a controller or processor has infringed, or is continuing to infringe, data protection legislation. The notice requires the organisation to take specified steps or refrain from certain actions to bring its processing into compliance.

The guidance also lists a number of grounds for issuing the notice. For example, where there is evidence of infringements that concern failing to comply with:

• principles of processing personal data;

• data subject rights;

• controller/processor obligations e.g. security measures and carrying out data protection impact assessments; and

• rules on international transfers.

A range of factors will also need to be considered before issuing the notice including:

• the nature and seriousness of the infringement which might include whether the infringement is likely to or has caused any damage or distress; and

• whether there are any aggravating or mitigating factors about the controller or processor’s conduct such as what action it has taken to remedy the infringement and mitigate any damage or distress, and how effective it was.

The notice will set out the infringement, reasons for the decision, required steps, compliance deadlines, consequences of non-compliance, and rights of appeal. In exceptional cases, the ICO can require compliance in less than 28 days (minimum 24 hours) if urgent action is needed to prevent serious harm or distress.

5. Public Announcements

The draft guidance formalises the ICO’s ability to make public announcements at various stages of enforcement, a step beyond the 2018 RAP, which only referenced transparency in general terms. 

The guidance notes that while announcements are a tool the ICO may use in relation to warnings, reprimands, enforcement notices, penalty notices and settlements, they are not automatic. Decisions will be made on a case‑by‑case basis.

The process and guidance on when a public announcement will be suitable is different for each enforcement action. For example, in relation to settlement discussions, announcements will be considered carefully to avoid prejudicing the investigation or unfairly impacting the parties involved. This means that the ICO will not comment publicly while discussions are taking place or if they have been unsuccessful. If the discussions are successful and a penalty notice is issued though then the circumstances will be announced.

However, for preliminary enforcement, information, assessment and interview notices, the ICO has clarified that it will not typically make an announcement that it has given one of these unless there are circumstances in which it considers it appropriate to do so, such as if it is in the public interest, or they are providing updates on the progress of their work.

For enforcement notices and penalty notices, the guidance explains that these will be announced on the ICO website and the text of any accompanying statement will not be agreed with the controller or processor. The controller or processor will, however, be provided with such text in advance to give it an opportunity to comment on factual inaccuracies or confidentiality. After an announcement, there may be a small delay before the non-confidential copy of the notice is posted on the website to allow the recipient to make representations about confidential information it may contain.

Comment

There may be changes following the consultation process, but the draft guidance signals a shift from the 2018 RAP in terms of the UK’s enforcement landscape. Where the RAP provided a broad policy framework, the draft guidance moves towards a detailed and transparent procedural framework. It sets out steps for how investigations will be opened, how information is gathered and how enforcement outcomes will be determined, giving organisations greater visibility into how decisions will be made. 

Controllers and processors should assess the impact of the ICO’s proposed enforcement approach on their compliance strategy and its alignment with other regulatory requirements.

For advice on data protection and privacy matters, please contact Hamish Corner, Madelin Sinclair McAusland, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Fraser Campbell and Amanda Leiu.