Fri 19 Dec 2025

Data Protection: new enforcement guidance in the offing

The UK Information Commissioner's Office has opened a consultation on new data protection enforcement guidance. The guidance sets out the process the ICO proposes to follow when they suspect an organisation has failed to comply with the UK GDPR and the Data Protection Act 2018.

The guidance

The ICO is under an obligation to publish guidance on regulatory action. The new enforcement guidance is to sit along the already published Data Protection Fining Guidance and will replace the provisions on information notices, assessment notices, enforcement notices, penalty notices and privileged communications set out in the ICO's 2018 Regulatory Action Policy

The Data (Use and Access) Act 2025 (or DUAA) also amends and enhances the ICO's enforcement powers. For example, the DUAA includes provisions that bring the ICO's powers under the Privacy and Electronic Communications Regulations 2003 in line with the ICO's existing powers under the Data Protection Act 2018. The draft guidance, therefore, reflects the changes that have come, or are due to come into force, under the DUAA. 

What does the guidance cover?

The guidance, once adopted, will provide organisations with greater clarity on what to expect if they are being investigated by the ICO, giving them an understanding of each step of the process, potential outcomes and their rights. 

The guidance covers the following: 

  • Investigations - how the ICO decides to open investigations and alternative resolutions to address any concerns raised. It covers in detail what to expect from the ICO if an organisation is under investigation. 
  • Information gathering - how the ICO uses their information gathering powers, this includes the changes to ICO's powers coming into force under DUAA. 
  • Outcomes - potential outcomes of an investigation and the ICO's enforcement powers to issue warnings, reprimands, enforcement and penalty notices. 
  • Settlements - the ICO's proposed settlement procedure when issuing a penalty notice, including details on the requirement of admission of infringement by the organisation in breach of data protection legislation. 
  • Public announcements - covering situations where the ICO may make a public announcement about the findings of an investigation or any notices issued. 
  • Appeals - addressing the right to appeal the ICO's decision and the process to do so. 

Time to respond

The consultation is running for a period of 12 weeks and closes on Friday 23 January 2026. You can share your views here.   

Should you wish to discuss any aspect of the ICO's enforcement powers please contact David Gourlay or any other member of the MFMac Data Protection and Cyber Security Team.  

This article has been co-authored by David Gourlay and Aleksandra Werecka.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice