The Information Commissioner’s Office (ICO) has begun a consultation on newly drafted guidance outlining how it investigates potential data protection breaches and carries out enforcement action.

Increasing transparency

The proposed guidance clarifies the processes the ICO follows when it believes an organisation may have breached the UK General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018.

Key points in the draft guidance

The draft document explains:

• How the ICO determines whether to launch an investigation or resolve concerns through alternative means.

• What organisations can expect if an investigation proceeds.

• How the ICO intends to use its information-gathering powers, including new powers under the Data (Use and Access) Act 2025 to require individuals to answer questions and for organisations to supply reports.

• How decisions about investigation outcomes are reached, including when warnings, reprimands, enforcement notices or penalty notices may be issued.

• When the ICO might consider a settlement with a reduced fine, and how such a process would operate.

Updates to align with recent legislation

Once finalised, the guidance will sit alongside the ICO’s Data Protection Fining Guidance, with the two documents replacing the current Regulatory Action Policy.

The Data (Use and Access) Act 2025 also broadens the ICO’s investigative and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR), bringing them largely into alignment with those the ICO holds under data protection law. Although some distinctions remain, the ICO intends to apply a consistent approach across both frameworks.

What this means for you

If you act as a data controller or processor, understanding the new guidance may assist you in preparing for potential investigations and showcasing strong management of your data protection compliance duties.

The consultation is open until Friday 23 January 2026.

To review the draft guidance and respond to the consultation, see: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/10/ico-consultation-on-data-protection-enforcement-procedural-guidance/