ICO Eyes Updated Guidance on Investigation and Enforcement Procedures
The ICO wants feedback on new guidance about its investigation and enforcement processes under the U.K. GDPR and Data Protection 2018, it announced Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The data protection enforcement procedural guidance sets out the steps the DPA follows from opening an investigation to deciding whether to use its enforcement powers. It also explains other ways the ICO might resolve compliance issues, and the limits on its powers.
The draft is aimed at organizations that process personal data and their advisers and provides increased transparency and certainty about the ICO's approach to probes and enforcement actions. The guidance doesn't, however, explain the process it follows in relation to prosecuting criminal offenses; that information is contained in the ICO's prosecution policy statement.
The draft guidance will replace statutory guidance about information notices, assessment notices, enforcement notices, penalty notices and privileged communications, the ICO said.
The Data (Use and Access) Act 2025 (DUAA) includes provisions that change and add to the watchdog's existing powers, such as the ability to require people to answer questions and to order organizations to make arrangements for an approved person to prepare a report about a specific matter.
The draft guidance reflects DUAA provisions that are either in effect now or will be in coming months, the DPA said. Comments on the draft are due Jan. 23, 2026.