ICO consults on revised data protection enforcement procedural guidance

The question

What does the ICO’s draft enforcement guidance tell us about how future investigations will proceed?

The key takeaway

The ICO’s new draft guidance provides a clearer, end-to-end explanation of its investigation and enforcement processes, including its available regulatory powers, expected procedural steps, organisations’ rights to make representations, and its proposed settlement discount framework.

The background

As part of its ongoing drive to increase transparency and predictability for regulated organisations, the ICO has published draft guidance describing how it conducts investigations from start to finish. The ICO continues to position itself as a pragmatic and proportionate regulator, noting that fines are only one of several enforcement tools available. Other outcomes, such as warnings, reprimands, practice recommendations, and enforcement notices, remain key features of its regulatory approach.

The development

The draft guidance sets out the legal and procedural framework governing ICO investigations and enforcement. It explains the ICO’s powers to issue:

• information notices, including its powers of entry and inspection;
• assessment notices, which allow the ICO to assess compliance directly;
• warnings (where a breach is likely) and reprimands (where a breach has occurred);
• enforcement notices, requiring steps to bring processing into compliance;
• penalty notices, which may be issued for breaches of data protection law or for failing to comply with an information or assessment notice; and
• how the ICO handles legally privileged material.

The guidance also outlines:

• how and when the ICO decides to open an investigation, including threshold considerations;
• what organisations can expect throughout the inquiry process;
• the right to make written representations following a notice of intent, and oral representations where the ICO invites them;
• the settlement process, which remains voluntary but can be engaged once a notice of intent proposing a penalty is issued; and
• the right of appeal against information, assessment, enforcement or penalty notices (including penalty variations).

Settlement discounts

For the first time, the ICO sets out defined settlement discount ranges when organisations agree to resolve cases early:

• up to 40% if settlement occurs before written representations are submitted;
• up to 30% if settlement occurs after written representations but before the final penalty notice is issued;
• up to 20% if settlement occurs after the final penalty notice.

This reflects the kinds of reductions the ICO has made in recent enforcement matters, where early cooperation and mitigation significantly affected penalty levels.

Why is this important?

The guidance offers organisations a clearer view of how ICO investigations are likely to unfold - including how decisions are made, when engagement opportunities arise, and how settlement may influence penalty outcomes. The potential consolidation of enforcement guidance across regimes could further streamline compliance planning, particularly for organisations subject to overlapping data protection and PECR obligations.

Any practical tips?

The consultation is open until Friday 23 January 2026, and responses can be submitted online, by email or by post. Organisations should consider reviewing the draft guidance and responding where helpful, particularly if:

• you frequently interact with the ICO;
• you want clarity on settlement opportunities or investigative expectations; or
• you have concerns about terminology or practical application of the powers.

 Winter 2025