We are calling for views on new guidance setting out how we approach investigations and take enforcement action.

The guidance aims to increase transparency about the process we follow when we suspect an organisation has failed to comply with its legal obligations to protect people’s personal information under the UK General Data Protection Regulation and Data Protection Act 2018.

Tim Capel, ICO Executive Director, Regulatory Supervision, said:

“The new guidance is significantly more detailed than the previous guidance on our approach to investigations and enforcement. “It clearly sets out the processes we follow and the factors we consider when using our powers. We hope that this additional clarity and transparency is welcome. We’re keen to hear from law firms, data protection officers, privacy professionals and anyone else with an interest on what they think about the draft guidance.”

Among other things, the guidance explains:

How we decide whether to open an investigation and the other ways we may instead seek to resolve any concerns.

What to expect from us during an investigation.

How we will use our information gathering powers, including our new powers under the Data (Use and Access) Act 2025 to require people to answer questions and organisations to provide reports.

How we decide on the outcome of an investigation and use of our enforcement powers, such as warnings, reprimands, and enforcement and penalty notices.

When we consider settlement with a reduced fine is appropriate and the process involved.

When finalised, the new guidance will sit alongside our Data Protection Fining Guidance published last year. Together, they fulfil our statutory duty to publish guidance about regulatory action under the Data Protection Act 2018 and will replace the statutory guidance currently set out in the Regulatory Action Policy.

The Data (Use and Access) Act 2025 also includes provisions that will bring the our investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with our powers under the data protection legislation.

While there remain some differences, we propose to generally take the same approach to the use of our powers in relation to PECR as set out in the draft guidance in relation to the data protection legislation.

The consultation will run for 12 weeks until Friday 23 January 2026.