ICO Consultation on New Data Protection Enforcement Guidance

Written By Cait Jones

On 31 October 2025, the Information Commissioner's Office (ICO) launched a consultation on its draft Data protection enforcement procedural guidance.

The draft guidance is primarily aimed at organisations that process personal data and their advisers, and seeks to explain:

  • How the ICO decides whether to open an investigation or seek other ways to resolve any concerns.

  • What to expect from the ICO during an investigation, including how it will use existing information gathering powers with its new powers provided under the Data (Use and Access) Act 2025, which require people to answer questions and organisations to provide reports.

  • How the ICO decides on the outcome of an investigation and the use of its enforcement powers, such as warnings, reprimands, and enforcement and penalty notices. This includes details of the process involved for when the ICO considers settlement with a reduced fine is appropriate and explains the rights of appeal against statutory notices.


Once finalised, the new guidance will sit alongside the ICO's Data Protection Fining Guidance. Together, they fulfil the ICO's duty to publish guidance about regulatory action under the Data Protection Act 2018.
The draft guidance will replace the existing statutory guidance about information notices, assessment notices, enforcement notices, penalty notices and privileged communications set out in the ICO's Regulatory Action Policy from 2018.

The Data (Use and Access) Act 2025 includes provisions that will bring the ICO's investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with its powers under UK General Data Protection Regulation and Data Protection Act 2018. While some differences will remain, the ICO proposes to take the same approach to the use of its powers in relation to the PECR as set out in the draft guidance.

Mr Tim Capel, ICO Executive Director, Regulatory Supervision, commented:

"The new guidance is significantly more detailed than the previous guidance on our approach to investigations and enforcement… We're keen to hear from law firms, data protection officers, privacy professionals and anyone else with an interest on what they think about the draft guidance".

The consultation closes on 23 January 2026.

Source: Practical Law

If you would like to explore how these changes might affect your organisation, please contact our team via hello@starfordlegalhr.com

Cait Jones
Previous

Government drops Day 1 Unfair Dismissal Rights
Next

Collective Redundancy: Changes to HR1 Form