Enforcement procedural guidance consultation

Overview

The Information Commissioner’s Office (ICO) is consulting on new guidance about the process we follow when carrying out investigations and taking enforcement action using our powers in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) (together the “data protection legislation”).  

We refer to this new guidance as the data protection enforcement procedural guidance (the ‘guidance’).  

Why have we produced this draft guidance and who is it aimed at? 

The draft guidance explains the process we follow throughout the duration of an investigation, from opening the case and information gathering, through to reaching a decision on whether to use our statutory enforcement powers. It also explains some of the other ways in which we may resolve compliance issues and the limits on our powers.  

We have gained significant experience in using our powers under the data protection legislation since the existing statutory guidance was published in the Regulatory Action Policy in November 2018. The purpose of the new draft guidance is to provide organisations with more detail about our approach to give greater transparency and certainty about how we use our investigatory and enforcement powers.   

The draft guidance is primarily aimed at organisations that process personal data and their advisers. However, it may also be of interest to others who want to understand how we use our statutory powers to investigate and enforce the data protection legislation. 

The draft guidance does not explain the process we follow in relation to the prosecution of criminal offences, except to the extent that it provides statutory guidance on our information gathering powers, which may be used to investigate either a potential infringement of data protection legislation or a criminal offence. Information about our criminal powers is set out in our prosecution policy statement. 

What is the status of the draft guidance once finalised? 

When finalised, the draft guidance will, alongside our Data Protection Fining Guidance, constitute updated statutory guidance about regulatory action that we are required to publish under section 160(1) DPA 2018. It will also contain the statutory guidance about privileged communications we are required to publish under section 133 DPA 2018.  

The draft guidance  will replace the existing statutory guidance about information notices, assessment notices, enforcement notices, penalty notices, and privileged communications currently set out in the Regulatory Action Policy published in November 2018. Our Data Protection Fining Guidance has already replaced the guidance in the Regulatory Action Policy on when we consider issuing a penalty notice is appropriate and our approach to determining the amount of any fine. 

The Data (Use and Access) Act 2025 (DUAA) includes provisions that amend and add to our existing powers. This includes new powers to require individuals to answer questions and to require organisations to make arrangements for an approved person to prepare a report about a specified matter. The draft guidance reflects the changes to our powers in the data protection legislation following the DUAA, which have either come into force or are expected to come into force in the coming months. 

Will there be new enforcement guidance about PECR and UK eIDAS/EITSET following changes under the DUAA? 

The DUAA includes provisions that bring our investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (EITSET) in relation to potential infringements of UK eIDAS broadly into line with our powers under the data protection legislation (as amended by the DUAA). 

While some differences between the legislative frameworks for enforcement will remain, we propose to take the same approach to the use of our powers in relation to PECR and EITSET as set out in the draft guidance in relation to the data protection legislation. However, we would welcome views on this in response to our consultation, in particular whether there is a preference for consolidated guidance covering all three regimes (noting differences where appropriate) or separate guidance for each regime. For example, the guidance we are consulting on is drafted by reference to concepts within the UK GDPR and DPA 2018, such as ‘controllers’ and ‘processors’, whereas the terminology used in PECR and EITSET differs, even if the powers are broadly similar.  

We are planning to produce and publish separate fining guidance for PECR in due course, in particular to reflect the case law that has developed in the Tribunal in relation to direct marketing cases.  

What does the draft guidance cover? 

The draft guidance explains the process we follow when carrying out investigations and taking enforcement action under the data protection legislation. It provides a detailed description of the different stages of our investigations, from the decision to open an investigation through to taking a final decision.  

Set out below is a short summary of what the draft guidance covers. The headings match the headings used in the draft guidance itself and reflect how we have structured the consultation questions.  

1. About this guidance 

This section provides an overview of what the draft guidance covers and why we have produced it. It explains the scope of the draft guidance, how we will apply it, and the fact it is primarily aimed at controllers and processors that process personal data within the scope of the data protection legislation. 

This section also explains the status of the draft guidance.   

2. How we decide whether to open an investigation 

This section sets out the sources of potential investigations and the factors we consider when deciding whether to open an investigation. It also explains the other potential outcomes following our initial information gathering, including the other means we might use to resolve the issue. 

3. What to expect during an investigation 

This section explains what happens when we open an investigation and provides a summary of the process we follow during the course of the investigation. 

4. Information gathering 

This section explains how we use our information gathering powers and sets out the statutory guidance we are required to publish in relation to information notices, assessment notices (including approved person reports), and interview notices. It also explains our powers of entry and inspection.  

5. Limits on our powers of investigation 

This section explains the limits on our powers of investigation. In addition to setting out the statutory guidance we are required to provide relating to privileged communications, it also covers privilege against self-incrimination, handling confidential information, and determinations relating to processing of personal data for the purpose of journalism or for academic, artistic or literary purposes. 

6. Deciding on the outcome of an investigation 

This section explains that we can conclude our investigations in several ways and sets out the potential outcomes. This includes using our statutory enforcement powers if appropriate, as well as the possibility of resolving any issues identified through other means such as providing advice or accepting assurances. The remainder of the guidance then explains the procedure we follow in relation to each of our statutory enforcement powers.    

7. Process for giving warnings 

This section explains the process we follow when deciding to issue a warning that a controller or processor’s intended processing operations are likely to infringe the data protection legislation.  

8. Process for giving reprimands 

This section explains the process we follow when deciding to issue a reprimand. 

9. Process for giving enforcement notices 

This section explains the process we follow when deciding to issue an enforcement notice. It incorporates the statutory guidance we are required to provide relating to the factors we consider when deciding to give an enforcement notice, the circumstances we would consider it appropriate to issue an urgent enforcement notice, and how we proceed if a person does not comply with an enforcement notice. 

10. Process for giving penalty notices 

This section explains the process we follow when deciding to issue a penalty notice. It incorporates the statutory guidance we are required to provide relating to when we would consider it appropriate to allow a person to make oral representations, how we proceed if a person does not comply with a penalty notice, and the circumstances when we would consider it necessary to issue the penalty notice as soon as reasonably practicable after the period of six months beginning when the notice of intent was given.  

This guidance should be read alongside the Data Protection Fining Guidance, which explains when we would consider it appropriate to issue a penalty notice and how the amount of the fine is calculated. 

11. Settlement procedure 

This section sets out our proposed settlement procedure. This applies in cases where we consider that issuing a penalty notice is appropriate. It explains the requirements for agreeing a settlement, which include the party under investigation making an admission about the nature, scope and duration of the infringement and agreeing not to appeal our decision.  

The guidance makes clear that we decide to settle cases at our discretion and the settlement process does not preclude us from resolving investigations by other means if we consider it appropriate to do so. The proposed procedure is based on our experience in settling investigations with Advanced Computer Software Group and Capita.  

12. Rights of Appeal  

This section explains the rights of appeal against our statutory notices.  

Responding to the consultation 

We are seeking views on the draft guidance through a public consultation which will run for 12 weeks from 31 October 2025 to 23 January 2026.    

If you prefer not to respond using the online survey, you can download the consultation questions below and either email your response to epg@ico.org.uk (as a Word document or text-searchable PDF) or print your response and post it to:  
 
DP Enforcement Procedural Guidance Team (Legal Service) 
Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

You do not need to answer every question. However, please provide supporting evidence for your views where appropriate.  

The consultation will close on 23 January 2026. We may not consider responses submitted after this deadline.   

Please state whether you are responding on behalf of an organisation, in your professional capacity or as a private individual. If you are responding on behalf of an organisation, please make it clear who you are representing and, where applicable, how the views of the members of the organisation were obtained.  

If you have any questions about the consultation, please email epg@ico.org.uk.  

Privacy statement 

We will publish the responses to the consultation. This helps to make the consultation process more transparent, allowing people to more easily see how we have taken their views into account.  

If your response contains any information that you regard as sensitive and would not wish to be published, please also provide a non-confidential version suitable for publication and explain why you regard the excluded information to be confidential. Alternatively, you may provide any information you consider to be confidential in an annex to your response.  

If you are responding to the consultation on behalf of an organisation, we will publish the name of the organisation. If you are responding as an individual we will not publish your name unless you tell us you would like us to. However, if you are responding as an individual in your professional capacity, we may publish your job title – for example, ‘a response from a Data Protection Officer’. We will not publish individuals’ contact details, including addresses, telephone numbers or email addresses.  

The ICO is subject to section 132 DPA 2018 in relation to confidentiality of information. However, any information we receive as part of a consultation may be subject to a freedom of information request under the Freedom of Information Act 2000. We will endeavour to contact you if we are asked to disclose information you have told us is confidential and not suitable for publication, so that we can take your views into account when assessing how we respond to the request.  

For more information about what we do with personal data please see our privacy notice, and the section on responding to our consultations and surveys. 

Please note that we are using the platform Citizen Space to gather this information on our behalf. Citizen Space is provided by a UK supplier, Delib. You can read Delib's privacy policy here.