01233 630000

mg@mageegammon.com

Contact us now

Magee Gammon News ICO Consults on New Guidance for Investigations and Enforcement

ICO Consults on New Guidance for Investigations and Enforcement

Sharon Davenport 18-11-2025

The Information Commissioner’s Office (ICO) has opened a consultation on new guidance that sets out how it investigates potential data protection breaches and takes enforcement action.

Increasing transparency

The proposed guidance explains the processes the ICO follows when it suspects an organisation may have failed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Key points in the draft guidance

The draft guidance sets out:

  • How the ICO decides whether to open an investigation or resolve concerns in another way.
  • What can be expected during an investigation.
  • How the ICO will use its information-gathering powers, including new powers under the Data (Use and Access) Act 2025 to require individuals to answer questions and organisations to provide reports.
  • How decisions on the outcome of an investigation are made, including when warnings, reprimands, enforcement notices, or penalty notices may be used.
  • When the ICO may consider a settlement with a reduced fine, and how that process works. 

Updates to align with recent legislation

Once finalised, the new guidance will sit alongside the ICO’s Data Protection Fining Guidance, with the two forms of guidance replacing the current Regulatory Action Policy.

The Data (Use and Access) Act 2025 also extends the ICO’s investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR), bringing them broadly into line with the powers the ICO has under data protection law. While some differences remain, the ICO intends to apply a similar approach to both areas. 

What this means for you

Where you act as a data controller or processor, awareness of this new guidance could be helpful in preparing for potential investigations and demonstrating good management of your data protection compliance responsibilities.

The consultation closes on Friday 23 January 2026.

To review the draft guidance and respond to the consultation, see: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/10/ico-consultation-on-data-protection-enforcement-procedural-guidance/

Related Posts