ICO Enforcement Guidance: Settlements, Discounts and the New Enforcement Playbook
The Information Commissioner’s Office (ICO) has consulted on draft enforcement procedural guidance that will replace its 2018 Regulatory Action Policy and govern how the regulator uses its expanded powers under the Data (Use and Access) Act 2025 (DUAA). The consultation closed on 23 January 2026. Final guidance is expected in the first half of this year. For controllers and processors, the most commercially important change is the introduction of a formal settlement procedure offering penalty discounts of up to 40%. Combined with the ICO’s new compulsory interview and approved person report powers, the guidance signals a regulator moving from reactive enforcement to a structured, incentive-driven model closer to those used by the FCA and Ofcom.
ICO enforcement guidance and the shift from the Regulatory Action Policy
The ICO’s current enforcement framework rests on the Regulatory Action Policy (RAP), published in November 2018. The RAP sets out the ICO’s approach to enforcement under the Data Protection Act 2018 (DPA 2018) and the UK GDPR, but says little about procedural mechanics or how contested cases are handled. The draft ICO enforcement guidance is substantially more detailed, covering each stage from opening an investigation through to issuing a penalty notice. When finalised, it will constitute updated statutory guidance under section 160(1) DPA 2018. The DUAA commenced its main provisions on 5 February 2026, giving the ICO new investigatory tools. The guidance is the manual for how those tools will be used.
The ICO enforcement guidance settlement procedure
The draft guidance introduces a formal settlement framework for the first time. Under the current RAP, there is no structured settlement process. Controllers and processors can engage with the ICO informally, but the terms, procedure and consequences of settlement are opaque. The Capita enforcement action in October 2025, where a proposed £45 million penalty was reduced to £14 million on settlement, illustrated both the potential scale of discounts and the absence of a transparent framework for reaching them.
The new procedure introduces a tiered discount structure. A controller or processor that settles before the ICO issues a notice of intent can receive a discount of up to 40% on the penalty. Settlement after a notice of intent but before written representations attracts up to 30%. Settlement after written representations have been received reduces the discount to 20%.
Settlement requires an admission. The controller or processor must accept the nature, scope and duration of the infringement, including both the material facts and their legal characterisation. This is not a negotiation over the facts. It is a structured early resolution mechanism that trades certainty and cooperation for a reduced penalty.
ICO enforcement guidance in context: comparison with FCA and Ofcom settlement regimes
The ICO is not the first UK regulator to adopt a structured settlement framework. The FCA introduced its discount scheme under DEPP 6.7 and refined it in its revised Enforcement Guide, offering 30% for settlement at Stage 1 (normally within 28 days of the Stage 1 letter), with reduced or no discounts thereafter. The FCA also offers focused resolution agreements, where a firm can accept some but not all findings and receive a partial discount of up to 30% proportionate to the issues resolved.
Ofcom’s Penalty Guidelines under section 392 of the Communications Act 2003 provide up to 30% for settlement before the provisional breach notification, up to 20% after notification but before written representations, and up to 10% after written representations. Ofcom’s discount is applied after all other mitigating factors have been taken into account, reflecting the resource savings from a streamlined procedure.
The ICO’s proposed framework is the most generous of the three at the early stage (40% compared to 30% for both the FCA and Ofcom) but follows the same declining structure. All three regulators require an admission of the breach as a precondition for settlement. The key differences are in timing pressure and procedural flexibility.
| ICO (draft guidance) | FCA (DEPP 6.7) | Ofcom (Penalty Guidelines) | |
|---|---|---|---|
| Maximum early discount | 40% (before notice of intent) | 30% (Stage 1, within 28 days) | 30% (before provisional breach notification) |
| Mid-stage discount | 30% (after notice of intent, before representations) | Focused resolution only (partial, up to 30%) | 20% (after notification, before representations) |
| Late-stage discount | 20% (after representations) | None | 10% (after representations) |
| Admission required | Yes (facts and legal characterisation) | Yes (facts and breach) | Yes (breach of regulatory requirements) |
| Compulsory interviews | Yes (DUAA, 24-hour urgent notice) | Yes (s.171 FSMA 2000, compelled testimony) | No (s.135 CA 2003 information notices only) |
| Third-party expert reports | Yes (approved person at controller’s cost) | Yes (s.166 FSMA skilled person reports) | No equivalent power |
| Maximum penalty | £17.5m or 4% global turnover | Unlimited (FSMA) | 10% of qualifying revenue (CA 2003 s.97) |
The comparison is instructive. The FCA’s 28-day Stage 1 window creates acute time pressure: firms must decide whether to settle before the case is fully developed. The ICO’s framework, pegged to the notice of intent rather than a fixed period, may give controllers more time to evaluate the position before the highest discount expires. Ofcom sits between the two, with a declining three-tier structure but no fixed deadline.
For businesses regulated across multiple sectors, including telecoms operators processing personal data or payments firms subject to both FCA and ICO oversight, the interaction between these frameworks matters. A data breach at a payment institution could involve concurrent FCA and ICO investigations, each with its own settlement timeline and discount structure. Coordinating engagement across regulators, with different admission requirements and different consequences for the admissions made, is where the complexity lies.
DUAA powers: compulsory interviews and approved person reports
The ICO enforcement guidance also sets out how the regulator intends to use two new investigatory powers conferred by the DUAA. These are the power to compel individuals to attend interviews and the power to require a controller or processor to commission a report from an approved person.
The interview power replaces what was previously a voluntary process. The ICO can now issue an interview notice requiring a controller, processor, or their employees to attend. In urgent cases, as little as 24 hours’ notice is required. Failure to comply is itself an enforcement matter.
The approved person report power allows the ICO to require an organisation to appoint an independent expert to report on a specified aspect of its compliance. The ICO must approve the nominated person. If the organisation does not nominate a suitable candidate, the ICO may appoint one itself. As the cross-regulator comparison above shows, this is functionally equivalent to the FCA’s section 166 FSMA skilled person regime, and a power Ofcom does not have.
Both powers came into force on 5 February 2026 under Commencement No. 5. As we noted in our earlier analysis of the DUAA’s commencement, they close investigative gaps that previously required voluntary cooperation.
What ICO enforcement guidance means for regulated businesses
The practical effect of the draft guidance is threefold. First, controllers and processors now have a clear financial incentive to engage early. A 40% discount on a penalty in the millions is material. The Capita settlement, where the penalty fell from £45 million to £14 million, illustrates the sums at stake. Organisations should factor the settlement framework into incident response planning, including who has authority to accept findings and instruct advisers to negotiate.
Second, the compulsory interview and approved person report powers shift investigation dynamics. Organisations cannot run down the clock by declining to make individuals available. The 24-hour urgent interview notice requires protocols for responding at short notice, including arrangements for legal representation and privilege management.
Third, the elevated PECR fine cap, now at £17.5 million or 4% of global turnover, means the settlement framework applies to direct marketing and cookie compliance breaches as well as UK GDPR infringements.
| Before DUAA | After DUAA (5 Feb 2026) | |
|---|---|---|
| Settlement procedure | No formal framework | Tiered discounts: 40% / 30% / 20% |
| Interview powers | Voluntary | Compulsory (24-hour urgent notice) |
| Technical reports | ICO’s own assessment | Approved person reports at controller’s cost |
| PECR maximum penalty | £500,000 | £17.5m or 4% global turnover |
| Complaints handling | No statutory requirement | Formal procedure required (from June 2026) |
Viewpoint
The settlement discount framework is the most important change in this guidance. It gives the ICO a tool to resolve cases faster and more predictably, and it gives controllers a rational basis for deciding whether to contest or cooperate. In practice, the decision will hinge on whether the ICO’s characterisation of the infringement is one an organisation can accept. The requirement for a full admission, including legal characterisation, is more demanding than a simple acceptance of facts. Controllers will need to weigh the discount against the precedent that an admission creates for civil claims and regulatory expectations going forward.
From experience advising regulated businesses through enforcement proceedings, the operational challenge is usually not the decision to settle but the speed at which internal governance can authorise it. The 40% discount is available only before a notice of intent. Once a case reaches that stage, the discount drops and the balance of power shifts. Boards and compliance committees that wait for the formal notice before engaging will find they have already left money on the table.
The approved person report power deserves particular attention. It allows the ICO to commission detailed technical assessments at the controller’s expense. For businesses processing data through complex AI systems or multi-vendor architectures, the cost and disruption of an approved person report could be substantial. Building a defensible compliance record now is the most effective way to manage that risk.
Key sources
- ICO consultation on data protection enforcement procedural guidance
- Data (Use and Access) Act 2025
- Data Protection Act 2018, section 160
- FCA Handbook, DEPP 6.7: Discount for early settlement
- Ofcom Penalty Guidelines
- ICO statement on DUAA commencement
- ICO enforcement actions
- Bratby Law: The DUAA Takes Effect
- Bratby Law: Data Protection
Subscribe below to receive new Bratby Law articles direct to your inbox. For specific advice, contact Rob Bratby at Bratby Law.
