ICO enforcement consultation: understand the guidance

ICO is consulting on procedural guidance relating to its enforcement powers. ICO has extensive investigative and enforcement powers. The guidance is important – to ensure that ICO has appropriate processes in place for how it exercises its powers, and to protect the rights – and confidentiality - of organisations with whom it interacts. 

Most of the guidance summarises powers in the legislation and provides additional practical insights into elements within ICO’s discretion (for example, timescales to reply and when oral hearings will be considered). We think some parts of the guidance would benefit from more revision. We’ll be responding to the consultation, but would like to hear your views on this too. 

The infographic below sets out at-a-glance what ICO’s powers are and highlights some interesting points in the guidance. We’ve listed points we think would benefit from change below. Let us know what you think and we can include your views in our response.

The consultation closes on 23rd January 2026.

Information gathering

Para 3.1 states that potential outcomes following information gathering include opening an investigation, using means other than an investigation to seek to resolve the issue, or taking no further action.

ICO will inform the controller if it opens an investigation or seeks to resolve the issue in other ways. Para 36 states that ICO “usually” informs the controller if no further action will be taken. It’s important to those from whom ICO seeks information to understand if action will be taken against them. This may be relevant to the organisation’s decision to continue processing personal data in a particular way, or to resourcing considerations. It’s appropriate for ICO to commit to notify controllers in all circumstances, or to provide information as to the types of occasions when it would not do so. 

Investigations

Para 43 states that ICO will “usually” send a case opening letter to a controller or processor explaining that it is starting an investigation. It’s important that those whom ICO investigates are aware that a formal investigation is underway. This allows an organisation to respond appropriately, for example, making senior management aware and obtaining legal representation if needed. ICO should commit to notify controllers and processors in all circumstances or to provide information as to the types of occasions when no case opening letter would be sent. 

Para 70 notes that ICO may request that a controller or processor provides information to ICO voluntarily, without ICO having to use its formal powers to compel provision of information. Although most information provided by a controller or processor to ICO will be information about the organisation’s processes, on occasions, this may include information that is personal data. ICO’s consultation on recognised legitimate interests states that: 

“If the requester has statutory information-gathering powers that legally oblige you to share personal information, we expect them to use these rather than make a public task disclosure request”. 

In our experience, organisations engaging with ICO generally understand the benefits in co-operating. However, if the recognised legitimate interest guidance is finalized in its current form, controllers and processors will be uncertain how to proceed if a request from ICO in the context of an investigation could involve disclosure of personal data. The two guidance notes should be made consistent.

Information & assessment notices

Para. 93 notes that a recipient of an information notice may appeal to the Tribunal. Information notices can sometimes be issued to the wrong entity, on the basis of a misunderstanding of the organisation’s business or can request information that is not in the organisation’s possession or under its control. An organisation in receipt of a notice that contains these kinds of errors would, in practice, reach out to ICO to comment on the errors and to ask that the notice be cancelled and, if necessary, re-issued. It would be sensible for the guidance to reference this as a possibility, instead of implying that the only option is an appeal to the Tribunal (which would put both ICO and the organisation to unnecessary expense).

A similar point applies in relation to assessment notices (para.111). Here ICO suggests that, where possible, it will seek to provide an assessment notice in draft form before formally issuing it, so as to ensure that it is appropriately targeted and clear (para. 116). We think this is a helpful suggestion.

Enforcement notices

Para. 265 states that before issuing an enforcement notice, ICO will consider whether the requirements imposed are likely to be effective and do not cause costs or other disadvantages that are disproportionate to the aim, taking into account the purpose of data protection legislation. In our view ICO should also consider if the issues which are the subject of the enforcement notice are central to being able to compete in a particular industry. If they are, then ICO should not take enforcement action against one organisation alone, rendering it, alone among its peers, uncompetitive.

Settlement procedure

Section 11 outlines a proposed settlement procedure, whereby ICO may agree to impose a reduced monetary penalty, in return for the controller or processor admitting an infringement of the legislation and that a streamlined administrative procedure will be followed during the remainder of the investigation. The logic for suggesting this is the resource savings involved, including those from avoiding appeals of any penalty notice to the Tribunal. Para 350 explains that it is a pre-requisite for settlement that the controller or processor makes an admission about the nature, scope, and duration of the infringement, including both material facts and legal characterisation. As part of the settlement, the controller or processor must agree to make no further representations on these issues. The controller or processor must also accept that there will be a published decision against it setting out ICO’s finding of infringement. 

The suggestion that the controller or processor must accept that there will be a decision with ICO’s finding of infringement in it, suggests that the settlement procedure is limited to disputes purely about quantum. In practice, controllers and processors will often contest both the amount of any penalty and ICO’s assessment that there has been a breach of data protection legislation. There would be considerable resource savings for ICO in being able to reach settlements both where quantum and findings on liability would otherwise be disputed. If the intent is to allow for this, then the wording should make this clearer – for example stating that the finding of infringement would be in line with the agreement on facts and legal characterisation agreed as part of the settlement. 

Cross-cutting points

Publicity 

Controllers and processors can suffer adverse consequences from statements from ICO that contain factual inaccuracies or include confidential information. This could range from reputational damage, customers or suppliers being hesitant to continue trading with the company and data subjects making complaints or bringing proceedings. As a result, it is always important that ICO ensures that information shared publicly is factually accurate and does not reveal confidential information. 

In some places, the guidance notes that ICO will allow the controller or processor a chance to comment on inaccuracy and confidentiality. However, this is not consistently mentioned. Whenever ICO publicises information about a controller or processor, ICO should allow the controller or processor to comment on factual inaccuracies and to ask for redaction of confidential information.

Market sensitive announcements

Para 52 notes that if ICO considers an announcement about the fact of an investigation to be potentially market sensitive that it will generally inform the controller or processor of ICO’s intention to publish after the market has closed and will seek to publish at 7 a.m. the next day. If the controller or processor is listed in another jurisdiction, ICO sill similarly seek to avoid publication during trading hours. 

This is mentioned in connection with announcing investigations. However, other announcements by ICO (notices of intent to issue a monetary penalty, monetary penalty notices and – potentially – preliminary and actual enforcement notices) also have the potential to impact share price. This principle – of checking for market sensitivity and, where relevant, avoiding trading hours – should be applied generally whenever an announcement is made; it should not be limited to investigations.

Confidentiality

Section 5.3 sets out the ICO’s duty of confidentiality and the facts that ICO will consider before disclosing information received during an investigation. Para 197 notes that ICO may ask for representations about the confidentiality of information provided to ICO and para 198 asserts that ICO will “not accept blanket or unsubstantiated confidentiality claims” and that it is for the organisation to explain why information it provides should be regarded as confidential and why a proposed disclosure is not necessary for ICO’s functions. 

The guidance notes that when an organisation provides representations to ICO that it should provide a non-confidential version within one week, or shortly after providing the representations. 

As the draft guidance acknowledges (para 195), s. 132 precludes ICO personnel from disclosing information obtained in the course of discharging the Commissioner’s functions provided this information relates to an identified or identifiable business and is not otherwise available to the public and creates a presumption in the legislation that all information that relates to an identifiable organisation and that is not otherwise in the public domain is confidential. At the moment, in our experience, ICO does not challenge general statements that material that is supplied is confidential and does not always insist on non-confidential sets of representations. The approach ICO is suggesting, of requiring more detailed submissions on confidentiality, is in line with the approach taken by other regulators, such as the CMA. 

We don’t suggest any comment on this part of the draft guidance, but it may be helpful for organisations to be aware of the change in approach. 

Timescales for extensions

The guidance suggests that generally ICO will be reluctant to give extensions. For example, for representations in response to a notice of intent to reprimand, ICO suggests that there must be compelling reasons for an extension, in order “not to delay investigations”. ICO’s investigations typically take many months – and sometimes many years. When ICO has taken months to prepare its case, it is unfair to give an organisation only 3 or 4 weeks to respond. As notice of intent or preliminary notices are served at the end of an investigation, after a decision has been taken to proceed to enforcement, the argument that this will delay an investigation does not make sense.