Blog
Private prosecutions – A route to justice for the charity sector
Sophie Tang
Given the wide scope of his regulatory responsibilities, the Information Commissioner has his work cut out. Although weighty GDPR fines are eye catching, enforcement proceedings are expensive, time consuming, and slow in providing much-needed clarity. Therefore, whilst taking a selective approach to imposing fines, the Information Commissioner’s Office (‘ICO’) has been exploring a range of alternatives to improve and enforce compliance. Alongside a new identity as the ‘Information Commission’ from April 2026, the ICO has new powers and new Enforcement Guidance. We are clearly moving into a new era of investigation and enforcement.
Public reprimands rather than fines within public sector
Over the last three years, the ICO has sought to address public sector non-compliance through engagement, guidance, audits and published reprimand notices rather than issuing fines. There have been a small number of fines imposed where there has been no appropriate alternative (for example, the £750,000 Police Service of Northern Ireland fine). Otherwise, the new default ‘Public Sector Approach’ relies upon publication of the details of data protection failings, as well as the remediation of those failings, in a timely and targeted way. Having concluded this is a more effective and responsible approach where public funds are involved, the ICO seems likely to depend upon ‘transparent engagement’ in a wider range of enforcement activity.
New powers – mandatory interviews and approved person reports
The ICO has been granted new enforcement powers by the Data Use and Access Act 2025, which came into force on 5 February 2026. Firstly, the ICO may now require a controller to arrange for an approved person to prepare a report (s146A Data Protection Act 2018). This is similar to the ‘skilled person reviews’ required by the Financial Conduct Authority, enabling constructive engagement with the ICO at an early stage.
Secondly, in addition to information notices requiring provision of documents, the ICO may issue notices requiring an individual to attend an interview and answer questions, and a new offence has been created for knowingly or recklessly making false statements in interview (s146A – 146C Data Protection Act 2018). There are carefully worded protections, which will need careful consideration prior to interview, relating to legal professional privilege and privilege against self-incrimination. Other than in specific circumstances, the interview transcript cannot be used as evidence against the individual for commission of an offence under the Data Protection Act 2018.
New Enforcement Procedural Guidance
Meanwhile, in October 2025, the ICO issued a draft Enforcement Procedural Guidance for consultation. The Guidance, which will replace the existing Regulatory Action Policy, provides significantly more detailed operational guidance concerning the ICO’s approach to enforcement. Although designed to be principles based, and therefore flexible, this Guidance will be an invaluable resource for those facing ICO scrutiny.
In particular, this draft Guidance provides essential detail concerning the ICO’s enforcement toolbox, including the issuing of non-statutory warnings. Although non-binding, such warnings may be provided without notice and may be taken into account in the event of continued non-compliance. For organisations wishing to explore settlement, the Guidance now also sets out the terms of the Commissioner’s engagement in these discussions.
Commitment to transparency
Importantly, the Commissioner’s clear commitment to transparency is threaded throughout the draft Guidance. Despite retaining discretion with respect to the publication of warnings, reprimands and formal enforcement notices, the Commissioner will need persuading not to publish details of organisation’s breaches.
This continued commitment to transparency is intended to improve public trust and increase predictability for organisations. Given the impact upon an organisation’s reputation, publication should be top of mind when engaging with the ICO.
Concluding thoughts
In the wake of criticism of the ICO for not taking enforcement action with respect to the Afghan data breach last year, we will continue to see the ICO actively using a variety of investigation tools – including mandatory audits, approved person reports and interviews – followed with a range of enforcement outcomes, including warnings, reprimands and fines.
In this new era, organisations should remain alert to areas of specific ICO concern such as children’s data, employee surveillance, biometrics, automated decision making and Generative AI. Further, it is a good time to review the range of new and updated ICO guidance issued following changes introduced by the Data Use and Access Act 2025, as well as the final Enforcement Procedural Guidance once published.
About the author
Emily is a partner within the Public Law team specialising in information law, inquests, inquiries and internal investigations. Her background in criminal and regulatory proceedings, both defending and prosecuting, equips her to fully support clients involved in complex investigative processes. She is described as “precisely the kind of solicitor a client wants when the going gets tough” (Legal 500 UK 2021).
Share insightLinkedIn X Facebook Email to a friend Print