How ICO enforcement actually works: from complaint to Decision Notice

How a complaint becomes regulatory action

The ICO enforcement pipeline starts with a complaint, a self-report, or proactive ICO investigation. Most complaints come from individuals (subject access response failures, unsolicited marketing, suspected breach). Self-reports come from organisations notifying the ICO of a personal data breach within the 72-hour window required under UK GDPR. Proactive investigations follow the ICO's published regulatory priorities and risk-based approach.

Once a matter is open, the ICO's investigative tools include:

Information Notice: a formal request for information from an organisation, with statutory force. Failure to comply is itself a breach.

Assessment Notice: a power to enter and inspect, used in significant cases. Less commonly seen than Information Notices.

Voluntary undertaking or informal advice: the ICO may resolve matters by securing a voluntary commitment from the organisation to specific remedial action. Many matters resolve here without becoming public.

What becomes public

Public enforcement falls into a small set of formal instruments:

Enforcement Notice: a formal direction to take or stop specific action. Published. Failure to comply is a separate breach with criminal liability potential.

Monetary Penalty Notice (MPN): a fine, currently up to £17.5m or 4% of global turnover for the most serious breaches under UK GDPR. Published with reasoning.

Reprimand: a formal censure that does not include financial penalty but is a public statement of finding. Published, increasingly visible since the Commissioner's stated preference for proportionate action.

Decision Notice: published findings on subject access requests, freedom of information matters, and certain other specific powers.

Prosecution: the ICO can prosecute certain offences (for example, unlawfully obtaining personal data). Less common than civil action; convictions are public.

The published record is the visible portion of ICO activity. The underlying volume of investigations, voluntary undertakings, and informal action is much larger and is largely private. Sales leaders reading the Digest should understand they are reading the visible tip; absence from the published record does not necessarily mean absence of regulatory attention.

Why the visibility model matters

The pattern most relevant to UK B2B sales: the ICO has signalled in published statements that it favours proportionate, resolution-focused action where possible, escalating to formal enforcement where organisations do not engage constructively or where the matter is sufficiently serious to warrant public action.

The practical implication for sales leaders: organisations that engage well with the regulator typically resolve matters short of public enforcement. Organisations that do not engage well or that have systemic failings tend to feature in the published record. Building constructive engagement habits with the regulator (responding promptly to information requests, taking guidance seriously, self-reporting breaches within the required window) materially affects the likelihood of public enforcement.

What we cover and what we do not

The Monthly ICO Digest covers the visible tip: the published enforcement, guidance, and consultation activity. We do not have access to (or visibility into) the much larger underlying volume of private resolution. We are explicit about that limit in each Digest.