How to Prepare for an ICO Investigation: What Scale-Ups Need to Know

Your legal team forwards you an email from the Information Commissioner's Office. The subject line says "Assessment Notice." Nobody on your leadership team has seen one before, and the clock is already running.

This happens more often than founders expect. It's usually triggered by a complaint from a customer or employee, a breach report you filed months ago, or a sector-wide sweep the ICO is running that quarter.

The good news: an ICO investigation is procedural, not existential, if you're prepared for it. The scale-ups that come through cleanly are the ones who already know what the ICO can ask for, what genuine cooperation looks like, and where their own records fall short before the ICO points it out for them.

Quick answer: If the ICO contacts you, respond within the stated deadline, assign a single point of contact (ideally your DPO), and pull together your records of processing activities, DPIAs, and breach logs before you reply. Most investigations start as an information request, not a raid. How you handle the first 10 working days shapes everything that follows. Trust Keith keeps this evidence live and audit-ready inside its privacy management system, so customers aren't reconstructing records under deadline pressure.


 

How Do ICO Investigations Typically Start?

Almost no ICO investigation begins with an unannounced visit. In practice, there are three common triggers.

  • A complaint — an individual (a customer, job applicant, or employee) reports your organisation to the ICO, often after a subject access request went unanswered or a marketing email arrived without consent.
  • A self-reported breach — under UK GDPR Article 33, organisations must notify the ICO of a reportable personal data breach within 72 hours. A breach notification doesn't guarantee scrutiny, but it can prompt the ICO to ask follow-up questions about your wider controls, not just the incident itself.
  • A sector sweep or referral — the ICO periodically focuses on sectors it considers higher-risk (adtech, recruitment, health data, financial services) and issues information requests across multiple companies at once.

Whatever the trigger, the first formal contact is usually a letter or email asking for information or an explanation, not an on-site inspection. How scale-ups respond to that first letter is what usually determines whether the matter closes quietly or escalates.


 

Advisory Contact vs. Formal Investigation: What's the Difference?

Not every letter from the ICO is the start of a formal investigation, and it's worth knowing which one you're dealing with.

  • Advisory or informal contact — the ICO asks questions to understand your practices, often prompted by a single complaint. This can be resolved with a clear, well-evidenced written response and doesn't necessarily become a formal case.
  • Information notice — issued under Data Protection Act 2018, section 142, this legally compels you to provide specified information by a set deadline. Non-compliance is itself an offence.
  • Assessment notice — issued under DPA 2018, section 146, giving the ICO the right to assess your compliance, which can include requiring access to premises, documents, equipment, and staff interviews.
  • Enforcement notice — issued under DPA 2018, section 149, requiring you to take (or stop taking) specific action, typically once the ICO has already concluded there's a compliance failure.
  • Penalty notice — issued under DPA 2018, section 155, imposing a fine. Under UK GDPR Article 83, the higher tier of fines can reach £17.5 million or 4% of global annual turnover, whichever is greater.

 

Trust Keith Office Hours


 

What Does the ICO Actually Look For?

The ICO's published enforcement guidance is consistent about what it wants to see evidenced, not just asserted. In practice, that means:

  • A current record of processing activities (ROPA) — under UK GDPR Article 30, showing what personal data you hold, why, and for how long.
  • Data protection impact assessments (DPIAs) — for any processing likely to result in high risk, per Article 35, especially around monitoring, profiling, or special category data.
  • Evidence of a lawful basis for each processing activity, mapped under Article 6 (and Article 9 where special category data is involved).
  • A breach log showing not just incidents, but how each was assessed, whether it met the reportable threshold, and what changed afterwards.
  • Proof of accountability — training records, supplier due diligence, and a named, appropriately resourced DPO or privacy lead where UK GDPR Article 37 requires one.

Crucially, the ICO isn't looking for perfection. It's looking for evidence that privacy is actively managed, not bolted on after the fact.


 

Your Rights and Obligations During an Investigation

An investigation isn't one-directional. Scale-ups have rights as well as duties.

  • You're entitled to a clear legal basis for any notice served, and to know which section of the DPA 2018 or UK GDPR Article it's issued under.
  • You can request reasonable time extensions where a deadline is genuinely unworkable, though this should be raised early and in writing, not after a deadline has passed.
  • You're obliged to respond honestly and completely — deliberately withholding or misrepresenting information under an information notice is a criminal offence under DPA 2018, section 144.
  • You're entitled to appeal enforcement and penalty notices to the First-tier Tribunal, though this doesn't pause the obligations in the interim unless separately agreed.
  • You should keep your own record of every request, response, and internal decision made during the process — this becomes essential if the matter is later appealed or referenced in a future assessment.

 

How to Prepare Your Documentation and Evidence

Preparation for an ICO investigation should start well before any letter arrives. If it hasn't, here's the fastest path to a defensible position once one does.

  • Centralise your ROPA so it can be exported and shared within hours, not weeks — a spreadsheet nobody has updated since a funding round is a red flag in itself.
  • Pull your DPIA history for any high-risk processing, including who reviewed it and when it was last revisited.
  • Reconcile your breach log against actual incidents raised internally — gaps between what staff reported and what's logged are one of the most common findings in ICO assessments.
  • Confirm your DPO's appointment and independence are properly documented, including reporting lines, per Article 38.
  • Assign one internal point of contact for all ICO correspondence, so responses stay consistent and nothing is answered twice, differently, by two different people.

This is precisely where a data protection audit earns its keep. It surfaces exactly these gaps while there's still time to close them, rather than during the investigation itself.

It's worth running through this list as a genuine rehearsal, not a paper exercise. Ask your team to actually produce the ROPA export, the most recent DPIA, and the breach log on demand, with a deadline attached, the way the ICO would ask for it. Where that exercise takes days rather than minutes, that's the gap an investigation will expose — and the one worth fixing now, while there's no clock running against you.

Trust Keith Resources


 

Common Mistakes That Escalate an ICO Investigation

Most escalations aren't caused by the original complaint, they're caused by how the response is handled.

  • Missing the response deadline without requesting an extension, which reads as non-cooperation even when it's really just disorganisation.
  • Sending inconsistent answers because multiple people respond separately without a shared source of truth.
  • Producing documentation that's clearly backdated or rebuilt in response to the notice, which undermines credibility on everything else you submit.
  • Treating it as purely a legal problem and excluding the people who actually run the processing being investigated, which leads to answers that don't match operational reality.
  • Assuming it will resolve itself because "we haven't had a breach yet" — the ICO's focus is on whether processing is lawful and accountable, not just whether something has gone wrong.

 

What Happens at the End of an Investigation?

Outcomes vary depending on severity and cooperation, but they generally fall into a few categories.

  • No further action — the ICO is satisfied with your response and closes the matter, sometimes with informal recommendations.
  • Recommendations or an action plan — you're asked to make specific improvements within an agreed timeframe, without formal enforcement.
  • An enforcement notice — you're legally required to take (or stop) specific action, with a compliance deadline.
  • A penalty notice — a fine is issued, calculated with reference to the nature, gravity, and duration of the failure under Article 83(2).

Cooperation, evidenced accountability, and prompt remediation are consistently cited by the ICO as factors that reduce both the likelihood and size of a penalty — which is exactly why documentation quality matters as much as the underlying facts.

It's also worth knowing that most cases never reach the penalty stage at all. The ICO has repeatedly signalled a preference for engagement and remediation over punitive fines, particularly for organisations that self-report issues and show a credible plan to fix them. That preference doesn't remove the obligation to prepare properly, it simply means preparation and cooperation are usually rewarded rather than treated as a given.


 

Frequently Asked Questions

How long does an ICO investigation usually take?
There's no fixed timeframe. An advisory query can close within weeks; a formal assessment or enforcement case can run for several months, particularly if information requests are answered in stages.

Do we need a solicitor to respond to the ICO?
Not necessarily for an initial information request, but legal input is strongly advisable once an assessment, enforcement, or penalty notice is issued, given the statutory obligations involved.

Can a scale-up without a full-time DPO still respond well?
Yes — many scale-ups handle ICO contact through an outsourced or fractional DPO, provided that person has genuine visibility of the organisation's processing and documentation, not just a title.

Does self-reporting a breach increase our chances of investigation?
Not inherently. The ICO consistently treats prompt, transparent breach reporting more favourably than late disclosure discovered independently.

What's the single biggest predictor of a good outcome?
Being able to produce accurate, dated, and consistent documentation quickly. Investigations rarely go badly because of one gap, they go badly when a company can't demonstrate it knows its own data practices.


 

An ICO letter isn't a verdict, it's a test of whether your documentation matches what you actually do with data. Scale-ups that treat privacy as a continuously maintained system, rather than a folder assembled once a year, tend to walk through this process with far less disruption. 


 

If any of this still feels uncertain, or you'd simply like to talk it through with someone who's handled ICO contact before, you're welcome to book some time with our team. We're happy to see how we can help.

chat to an expert

Trust Keith