ICO Investigation Process: What to Expect When the ICO Contacts Your Business

Most ICO investigations start not with a dramatic raid but with a letter. A data subject complains about a missed subject access request. A routine cookie banner sweep flags non-compliant consent capture. A breach notification reveals inadequate security controls. What follows is a structured process that, for most UK businesses, can be resolved without a fine if handled correctly from the first contact.

Understanding the stages matters because the ICO's response at each point depends heavily on how the organisation behaves at the previous one. Organisations that ignore letters, miss deadlines or dispute jurisdiction without legal basis consistently receive worse outcomes than those that engage constructively even when facing a serious failing.

If you're trying to get ahead of this by checking your current data protection posture, run a free scan at /uk/en/scan before the ICO's automated systems do it for you.

How ICO investigations start

ICO investigations open through four main channels.

Data subject complaints are the most common entry point. Any UK resident can file a complaint at ico.org.uk/concerns about an organisation they believe has breached their data protection rights, a SAR not answered within one month, data processing they didn't consent to, a deletion request refused without a valid reason. The ICO does not guarantee to investigate every complaint and it typically asks the complainant to raise the issue with the organisation first before escalating. But where complaints pattern, multiple individuals complaining about the same business, the ICO treats this as a signal of systemic failure and opens a formal enquiry.

Mandatory breach notifications under Article 33 UK GDPR require organisations to notify the ICO of personal data breaches within 72 hours where the breach is likely to result in risk to individuals. The ICO reviews every notification and, where the circumstances indicate negligence, inadequate security design or significant harm, opens an investigation. The British Airways and Marriott investigations both began with breach notifications following large-scale cyberattacks in 2018.

ICO-initiated sweeps and sector reviews are investigations the ICO opens itself that don't require a trigger complaint. The ICO publishes annual regulatory plans that include sector-specific audits, recent examples include adtech data-brokerage, children's data platforms and cookie-banner compliance. The November 2023 campaign in which the ICO wrote to 53 of the UK's top 100 websites about non-compliant banners followed an unprompted audit of consumer-facing sites.

Regulatory referrals come from other bodies, the FCA, CMA, Ofcom and NHS bodies have mechanisms to refer data protection concerns to the ICO when they encounter them during their own supervisory work. A business under FCA scrutiny for conduct reasons may find an ICO investigation opens in parallel.

Stage 1: initial enquiry and information notice

The first formal step in most ICO investigations is an information notice issued under Article 58(1)(a) UK GDPR. This is a written request requiring the organisation to provide specified information within a stated period, typically 30 calendar days, sometimes shorter for breach-notification contexts.

A first information notice usually asks for:

The organisation's response to the underlying complaint or breach, including its account of what happened and what it has done since. The relevant documentation, privacy notices in effect at the relevant time, consent records, data processing agreements, security policies. Information about the organisation's data processing activities relevant to the matter.

Organisations that respond promptly with structured, evidenced answers substantially reduce the risk of escalation. The ICO explicitly considers whether the organisation "co-operated with the ICO and took steps to mitigate the effects of the infringement" when setting penalty levels, co-operation at the information-notice stage is the earliest and often most impactful mitigation.

Ignoring the information notice, or providing a response that refuses to engage with the substance of the ICO's questions, is treated as non-co-operation. It is also itself a breach of Article 31 UK GDPR, which requires controllers to co-operate with the supervisory authority.

Stage 2: formal investigation

Where the information notice reveals systemic issues, or where a breach notification describes a serious incident, the ICO escalates to a formal investigation. This involves:

Data requests that are more detailed than the initial information notice, the ICO may request server logs, access to specific systems or records, full staff training histories or technical architecture documents.

Interviews with key personnel. The ICO has the power under Section 146 of the Data Protection Act 2018 to require information from individuals as well as organisations. In serious investigations, this can include formal interviews under caution.

On-site visits, which the ICO can conduct with 7 days' notice (or less in urgent cases). In practice, on-site visits are used in larger investigations rather than routine SMB matters.

The ICO typically communicates the scope and timeline of a formal investigation in writing, though timelines can extend as the ICO processes evidence. Investigations into large data breaches, TikTok's £12.7 million penalty for children's data misuse [ICO 2023] or DSG Retail Ltd v Information Commissioner [2020] UKUT 261 (AAC), involve months of evidence-gathering.

Stage 3: preliminary findings and representations

Before issuing a fine or enforcement notice, the ICO must give the organisation an opportunity to respond to its preliminary findings. This is set out in Section 155 of the Data Protection Act 2018.

The ICO issues a notice of intent setting out:

• The proposed action (fine, enforcement notice, or other measure)
• The proposed amount if a fine is involved
• The reasons for the proposed action
• The organisation's right to make representations

The organisation has 21 days to make written representations. This is the point where arguments about the fine calculation, the organisation's financial position, the quality of its post-breach remediation and any novel legal questions should be made. The ICO is required to consider any representations it receives before finalising its decision.

Legal representation at this stage is standard practice for any matter where a fine of more than £50,000 is proposed. The cost of specialist data protection legal advice is typically far less than the difference between an accepted notice of intent and a successfully reduced final penalty.

Stage 4: final decision

Following representations, the ICO issues a final decision. The options available to the ICO under Article 58(2) UK GDPR and the Data Protection Act 2018 include:

A monetary penalty notice (the fine), which must be paid within 28 days unless under appeal. Interest runs from the payment deadline. The fine is publicly disclosed on the ICO's enforcement page.

An enforcement notice requiring the organisation to take specific steps within a specified period, such as updating its privacy notice, changing its cookie implementation, or deleting unlawfully processed data. Failure to comply with an enforcement notice is a criminal offence.

An undertaking, a voluntary, legally binding commitment to implement specific changes. Undertakings are less formal than enforcement notices but are published publicly and monitored.

A reprimand, a formal written statement that the organisation has breached UK GDPR, published publicly but carrying no fine or binding remediation requirement. Reprimands are the most common outcome for first-time SMB failings.

No further action, where the ICO concludes that the evidence does not meet the threshold for formal regulatory action.

Appeal route

Monetary penalty notices and enforcement notices can be appealed to the First-tier Tribunal (Information Rights). Key points:

You do not need to pay the fine pending appeal. Interest accrues on the unpaid amount if the appeal is unsuccessful or partially unsuccessful.

The Tribunal can uphold the notice, substitute a lower amount, or cancel it entirely. The Clearview AI case is a useful reference: the ICO's original fine of £7.5 million was overturned by the First-tier Tribunal on jurisdiction grounds, but the Court of Appeal reinstated a modified version of the decision in 2024 (verify exact status at appeal time, case law continued to develop into 2025).

Further appeals go to the Upper Tribunal on points of law and then to the Court of Appeal. The full litigation route is expensive and typically reserved for cases involving novel legal questions or fines above £100,000. EU DPAs use equivalent appeal structures. For how the Dutch AP's enforcement route compares, see GDPR website audit checklist (Dutch AP).

The practical playbook for a business facing a monetary penalty notice: get legal advice, assess the strength of the grounds for appeal, consider whether making representations had any meaningful effect and make a cost-benefit decision. Many organisations accept notices at the lower penalty tiers rather than incurring the cost and management distraction of a tribunal appeal.

Practical response playbook for SMBs

If the ICO contacts your business, the following steps apply regardless of which stage you're at.

Respond within the stated deadline. This is the single most important thing. A missed deadline is an immediate aggravating factor and signals non-co-operation.

Document everything. Keep records of when you received the communication, every step of your response, every piece of evidence you submitted and every conversation you had with the ICO's case officer.

Fix the underlying issue. If the complaint was about a missing cookie banner, fix the banner before responding. If it was about an unanswered SAR, answer the SAR and document that you've done so. Early remediation is one of the most effective mitigants recognised in the ICO's penalty methodology.

Don't dispute jurisdiction without a legal basis. Arguing that UK GDPR doesn't apply to your business when it clearly does wastes the ICO's time and yours and damages your credibility in subsequent stages.

Get legal advice before Stage 3. Information notices and preliminary investigation stages can often be handled by the business itself with careful attention to the ICO's guidance. The notice-of-intent stage, where a specific fine amount is proposed, is where specialist advice consistently pays off.

For how EU regulators run parallel processes, see how the ICO compares to EU DPA enforcement.

---

This is technical analysis, not legal advice. Consult a solicitor for specific guidance on ICO matters affecting your organisation.