The UK's ICO has published new draft guidance about how it proposes to conduct data protection investigations and enforcement action. The guidance provides additional detail on the processes to be followed at each stage of an ICO investigation into a potential breach of data protection legislation and offers the first insight into how and when the ICO envisages using new investigative and enforcement powers introduced under the Data (Use and Access) Act 2025.

Overview

The UK's Information Commissioner's Office ("ICO") has published new draft guidance about how it proposes to conduct data protection investigations and enforcement action.

Organisations may be particularly interested in aspects of the draft guidance relating to the ICO's new investigative and enforcement powers introduced under the Data (Use and Access) Act 2025 and regarding how the ICO may approach public statements and settlements. The ICO's consultation on the draft guidance is open until 23 January 2026. Organisations should consider whether any updates are required to their processes and training relating to regulatory investigations and whether they wish to respond to the consultation (which can be done through this online survey).

Background

The draft guidance ("the Guidance"), published on 31 October 2025, is substantially more detailed than the relatively high-level Regulatory Action Policy (published in November 2018) it replaces. Although far from prescriptive, it provides additional detail on the processes to be followed at each stage of an ICO investigation into a potential breach of the data protection legislation set out in the Data Protection Act 2018 ("DPA 2018") and UK GDPR, from the ICO's decision to open a case, through to its final decision.

Crucially, the Guidance also offers the first insight into how and when the ICO envisages using new investigative and enforcement powers introduced under the Data (Use and Access) Act 2025 ("DUAA"). The most significant of these are its powers to impose requirements including to make individuals available for interview and commission reports by "approved persons" – third party expert firms – concerning aspects of controllers' or processors' data protection compliance arrangements. 

What's changed?

The Guidance is careful to preserve the ICO's wide discretion to use these powers and conduct its investigative and enforcement processes in a flexible way. However, it does provide controllers and processors with some useful additional detail on some key aspects of how the ICO will use its new powers and run its enforcement processes.

Some of the ICO's new powers are similar to those which have been available to other enforcement authorities for some time. Processors and controllers, particularly those already subject to UK financial services regulatory requirements, may therefore be familiar with some of the underlying concepts. However, experience of dealing with other authorities' analogous powers will not necessarily provide a template for responding to the exercise by the ICO of the powers referred to in the Guidance.

Below we set out details of key changes, indications given by the ICO in the Guidance about how these may manifest during investigations and enforcement action, and comparisons with approaches taken by other authorities.

1. Interview notices

DUAA expanded the ICO's powers to issue interview notices to controllers or processors, or those employed or working for those controllers or processors, where it suspects non-compliance with data protection legislation or the commission of an offence under the DPA 2018. In the case of urgent interview notices, relevant individuals may be required to attend an interview with as little as 24 hours' notice. Such interviews are no longer voluntary. Failure to attend may result in a fine.

In this and several other areas referred to in the Guidance, processors and controllers may wish to seek further clarity from the ICO about the types of cases in which it will seek to exercise these powers. For example, although the ICO outlines in general terms that it may require urgent interviews where "it will mitigate the impact of a personal data breach or suspected infringement", no further indications are given about whether or how it may do so in particular scenarios such as in the hours or days immediately following a cyber attack.

The Guidance gives some limited detail about areas in which individuals may refuse to answer questions under an interview notice, including where those questions relate to communications covered by legal privilege or certain information that would require a person to admit a criminal offence. Unusually, DUAA circumscribes the definition of legal privilege for these purposes (and for the purposes of documents to be produced in response to requirements imposed under other parts of DPA 2018). Only communications relating to advice provided in connection with data protection legislation are covered – i.e. the ICO cannot compel a person to produce or disclose or answer questions about communications protected by legal advice or litigation privilege connected to data protection legislation, but can do so in relation to other types of privileged communications which contain information that the ICO reasonably requires (e.g. legal advice about another area of law).

The Guidance states that this is necessary to ensure the ICO retains the power to investigate potential infringements by professional legal advisers and that the ICO will only use its powers to obtain privileged communications if it has reasonable grounds to suspect that it requires the information contained within them to carry out its functions under data protection legislation. The Guidance acknowledges that disputes as to which documents fall within this relatively narrow definition of privilege may arise and provides for a mechanism for these to be resolved (via the appointment of independent counsel) but does not clearly indicate the ICO's position on how closely documents must be related to the provision of advice on data protection legislation in order to be deemed privileged for these purposes. Again, questions and documents relating to advice on managing cyber risk or responding to cyber attacks may prove to be contentious.

2. Reports by approved persons

DUAA 2025 also gave the ICO the power to require controllers or processors to commission and pay for a report by an "approved person" – a third party specialist – to support its investigations. The Guidance identifies the ICO's view of the complexity of the matter, the extent of cooperation, the quality of processors and controllers' own record keeping arrangements, and the adequacy of any report prepared by the processor or controller as key factors it will bear in mind when making this decision.

The power to require the appointment of an "approved person" is similar to the frequently used power available to the Financial Conduct Authority ("FCA") and Prudential Regulation Authority ("PRA") to require the appointment of "skilled persons" (under section 166 of the Financial Services and Markets Act 2000) to examine specific aspects of regulated firms' systems and controls. A corresponding power is now also available to OFCOM under section 104 of the Online Safety Act. As is the case in these other contexts, the Guidance makes clear that commencing an enforcement investigation is not a necessary precondition to commissioning a report from an approved person. In many instances, enforcement action may follow, but the power is intended to be a broad one directed towards diagnosis of issues, monitoring risks, or preventing or remedying harm.

The Guidance does not give any indication of how often the ICO anticipates it will use this power or how likely it is that engaging an "approved person" and implementing any recommended remedial actions may avoid or curtail enforcement action. However, financial services firms whose affairs have been examined by "skilled persons" in the context of engagement with the FCA or PRA will likely testify to the advantages of engaging early and proactively with the ICO in situations where it may consider engaging an "approved person" to minimise the potential costs and disruption associated with these engagements as far as possible.   

3. Information notices

DUAA has clarified that the ICO has the power to compel the production of documents (i.e. not just the provision of information) under information notices. The ICO is required to give recipients of information notices at least 28 calendar days to provide the information required. This power sits alongside the ICO's existing power under the DPA 2018 to issue an assessment notice requiring a controller or processor to, amongst other things, permit the ICO to enter onto specified premises to inspect documents, information, equipment and other material.

The Guidance includes the ICO's observation, both in relation to information notices and the exercise of its information gathering powers more generally, that it may request that controllers or processors provide information voluntarily (i.e. without it having to exercise its powers of compulsion). It adds that doing so may be regarded as a marker of cooperation deserving of recognition when it is deciding on the amount of any fine to be imposed (where such cooperation is considered to go beyond a controller or processor's ordinary duty of cooperation required by law). Conversely, the guidance states that the ICO may view persistent and repeated behaviour that delays regulatory action as an aggravating factor when considering imposing a fine. As currently drafted, the Guidance does not contain an express acknowledgement equivalent to that found in analogous guidance issued by other enforcement authorities (for example the Corporate Co-operation Guidance issued by the Serious Fraud Office ("SFO")) that a request by a controller or processor to be compelled to produce documents rather than to do so on a voluntary basis will not be taken as a sign of non-cooperation.

4. Public announcements

The Guidance specifies the circumstances in which it may issue a public announcement at various stages within the investigation process, including the outset, when giving warnings or reprimands, upon the publication of enforcement or penalty notices, and upon a case's settlement.

It confirms that the ICO will routinely publicise details of investigations, including the names of corporate entities subject to investigation, shortly after those investigations have commenced. This is notably different to the approach taken by the FCA which, in response to feedback received from regulated firms about its proposals to adopt a similar policy, has now decided that it will only make such announcements naming such firms subject to regulatory investigations in "exceptional circumstances".  

5. Settlement

The Guidance provides the most detailed indications to date of when the ICO may entertain the idea of settlement and how the process will operate in practice. It contains an express requirement for processors or controllers to admit the nature, scope and duration of breaches in order for settlement to be possible. In doing so, it goes beyond what is explicitly required in rules or guidance issued by the FCA in connection with its settlement processes or by the SFO in relation to deferred prosecution agreements to settle criminal investigations (although in both instances, subjects of investigations must in practice accept detailed publicised statements setting out the conduct concerned).

The Guidance is more granular in relation to settlement than the Regulatory Action Policy it replaces, including in relation to the discounts available for settlement (which are decided on a sliding scale of up to 40 per cent for settlement before the issue of a notice of intent by the ICO).  However, they preserve considerable latitude for the ICO to decide not to enter into settlement discussions or to end them once commenced. Relevant factors include the ICO's assessment of the levels of cooperation demonstrated by the processor or controller and of whether continuing with the investigation is an appropriate use of its resources. In practice, whether settlement is a viable option will remain highly fact dependent.  

The wider context

The Guidance comes at a time when the ICO is using its enforcement powers relatively expansively (including to target companies located outside the UK), and is based in part on its recent experiences in cases in which it has imposed significant penalties following enforcement investigations (see our articles: ICO fines processor after inadequate security measures lead to widespread disruption to critical services and ICO fines Capita for UK GDPR infringements following March 2023 data breach).

The ICO's approach to data protection investigations and enforcement is one of several topics it is consulting on (see our article: Draft ICO guidance and consultations: September update).  Once finalised, the Guidance will sit alongside the ICO's Data Protection Fining Guidance published in March 2024.

The DUAA includes provisions that bring the ICO's investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 ("PECR") and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 ("EITSET") in relation to potential infringements of UK eIDAS broadly into line with the ICO's powers under the data protection legislation. The ICO proposes to take the same approach to the use of its powers in relation to PECR and EITSET as set out in the Guidance in relation to the data protection legislation. However, it is seeking views on this, including whether there is a preference for consolidated guidance covering all three regimes or separate guidance for each. The ICO also notes that it is planning to produce and publish separate fining guidance for PECR in due course.

What comes next?

The ICO's consultation on the Guidance is open until 23 January 2026. There may be scope for refinement of some aspects of the Guidance before it comes into force. Processors and controllers should take the opportunity to consider how the proposed exercise by the ICO of its investigative and enforcement powers may impact them in the event of action being taken for alleged breaches of data protection requirements, and how such investigative steps may interact with their other regulatory obligations.