ICO consults on its approach to investigations and enforcement

03 Nov 2025

03/11/2025

The ICO has issued a consultation to seek organisations’ views on the processes the ICO follows when it suspects a breach of the UK GDPR or the Data Protection Act 2018.

Tim Capel, ICO Executive Director, Regulatory Supervision, said:

“The new guidance is significantly more detailed than the previous guidance on our approach to investigations and enforcement.”

“It clearly sets out the processes we follow and the factors we consider when using our powers. We hope that this additional clarity and transparency is welcome. We’re keen to hear from law firms, data protection officers, privacy professionals and anyone else with an interest on what they think about the draft guidance.”

The forthcoming guidance will also explain how the ICO will use its new powers under the Data (Use and Access) Act 2025 to require people to answer questions and organisations to provide reports.

Other issues include:

How the ICO decides whether to open an investigation and the other ways it may instead seek to resolve any concerns
What to expect from the ICO during an investigation
How the ICO decides on the outcome of an investigation and uses its enforcement powers, such as warnings, reprimands, and enforcement, for example, penalty notices
When the ICO considers settlement with a reduced fine is appropriate and the process involved.

The consultation is open until 23 January 2026.

Back to news list

Subscribe

Looking for more detailed information and analysis? Subscribe to PL&B Reports now

Subscribe

ICO consults on its approach to investigations and enforcement

Subscribe