The guidance aims to increase transparency about the process the ICO follows when it suspects an organisation has failed to comply with its legal obligations to protect people’s personal information under the UK General Data Protection Regulation and Data Protection Act 2018.

Tim Capel, ICO executive director, regulatory supervision, said: “The new guidance is significantly more detailed than the previous guidance on our approach to investigations and enforcement.

“It clearly sets out the processes we follow and the factors we consider when using our powers. We hope that this additional clarity and transparency is welcome. We’re keen to hear from law firms, data protection officers, privacy professionals and anyone else with an interest on what they think about the draft guidance.”

Among other things, the guidance explains:

• How the ICO decides whether to open an investigation and the other ways it may instead seek to resolve any concerns
• What to expect from the ICO during an investigation
• How the ICO will use its information gathering powers, including its new powers under the Data (Use and Access) Act 2025 to require people to answer questions and organisations to provide reports
• How the ICO decides on the outcome of an investigation and uses its enforcement powers, such as warnings, reprimands, and enforcement and penalty notices
  When the ICO considers settlement with a reduced fine is appropriate and the process involved
• When finalised, the new guidance will sit alongside the Data Protection Fining Guidance published by the ICO last year. Together, they fulfil the ICO’s statutory duty to publish guidance about regulatory action under the Data Protection Act 2018 and will replace the statutory guidance currently set out in the Regulatory Action Policy.
• The Data (Use and Access) Act 2025 also includes provisions that will bring the ICO’s investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with its powers under the data protection legislation. 

While there remain some differences, the ICO proposes to generally take the same approach to the use of its powers in relation to PECR as set out in the draft guidance in relation to the data protection legislation.

The consultation will run for 12 weeks until Friday 23 January 2026, and can be accessed here.