Open navigation
Search
Offices – United Kingdom
Explore all Offices
CMS United Kingdom
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – United Kingdom
Explore all insights
Trending Topics
Insights by type
Featured

Our CMS Expert Guides provide you with in-depth legal research and insights.

Learn more

CMS Press Office

Learn more

CMS Spotlight: join our events and webinars!

Learn more
Search
Expertise
Explore all expertise
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Practice Areas
Practice Areas
Sectors
Sectors
Offices
Explore all Offices
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
CMS United Kingdom
CMS United Kingdom
Insights
Explore all insights
Featured

Our CMS Expert Guides provide you with in-depth legal research and insights.

Learn more

CMS Press Office

Learn more

CMS Spotlight: join our events and webinars!

Learn more
Trending Topics
Trending Topics
Insights by type
Insights by type
About CMS
UK Pay Gap Report 2024

Learn more
More about CMS
More about CMS
Careers
Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Back to main
Publication 15 Jan 2026 · United Kingdom

Information Commissioner's Office

Regulation nation?

3 min read
The Information Commissioner’s Office (ICO) is the UK’s independent regulatory body responsible for enforcing data protection laws and regulations. Established in 1984, its remit has expanded over the years to encompass the regulation of organisations and individuals that process personal data or handle information under UK laws related to data protection, privacy and information access.

Information Commissioner's Office: Five things to watch

  • Protecting children    
  • Online tracking    
  • Artificial intelligence    
  • Sandbox Initiatives    
  • Data protection enforcement

The ICO ensures compliance with the UK General Data Protection Regulation 2018 (UK GDPR) and the Data Protection Act 2018 (DPA), ensuring that personal data is collected, stored and used lawfully. It also oversees public access to information under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, and enforces the Privacy and Electronic Communications Regulations 2003 (PECR), which cover direct marketing, cookies, and electronic communications. The ICO has ensured PECR remains effective amid technological change and growing public expectations and privacy concerns.

In addition, the ICO is responsible for upholding information rights under a broader range of legislation, including the Investigatory Powers Act 2016, the Re-use of Public Sector Information Regulations 2015, the INSPIRE Regulations 2009, the eIDAS Regulation (covering electronic identification and trust services), and the Network and Information Systems Regulations 2018. Most recently, the ICO has begun overseeing compliance with the Data Use and Access Act 2025 (DUAA).

The DUAA is intended to enhance the UK’s digital strategy and unlock the use of data. It provides the ICO with new powers, including the ability to compel witnesses to attend interviews, and to request technical reports. It also significantly increases the ICO’s power to issue fines under PECR, which may now be up to £17.5m or 4% of global turnover.

In addition, the DUAA will transform the ICO from a single office-holder model into a new body called the Information Commission. This will be a corporate entity with a chair (initially the current Information Commissioner), a chief executive, and other non-executive and executive members who will share decision-making responsibilities. This new governance model brings the ICO more in line with other UK regulators. Although no date has been confirmed for this change, it is expected that there will be little noticeable difference in the ICO’s day-to-day operations.

The ICO adopts a risk-based approach to regulation and focuses on deliberate or reckless harms, aiming to be proportionate and fair. It has the authority to investigate breaches, issue fines, and take enforcement action, although it generally avoids penalising genuine mistakes made in good faith.


Five things to watch

Protecting children

A key area of focus for the ICO is the protection of children’s privacy online. The DUAA introduces ‘higher protection matters’ that must be considered by providers of online services likely to be accessed by children. These providers must consider how best to protect and support children who may be less aware of the risks and consequences of data processing and have different needs at various stages of development. However, exactly what this will mean in practice is so far unclear. The ICO is committed to ensuring that children are appropriately protected while maintaining the same underlying data protection principles for both children and adults.

Online tracking

The ICO aims to ensure that people have meaningful control over how they are tracked online. After finding concerns with 134 of the UK’s top 200 websites, the ICO plans to bring the top 1,000 into compliance through advice, guidance, and enforcement where necessary. It has also published guidance on ‘consent or pay’ advertising to support this. Under its 'Taking Control' strategy, the ICO will promote compliance with cookie and tracking laws, ensure users can control their data, and focus compliance improvements on the top 1,000 UK websites.

Artificial intelligence

The ICO seeks to facilitate the transformative potential of AI, while addressing its potential risks to individual rights and freedoms. Its main aim at the moment is to provide regulatory certainty through published guidance on rights in relation to AI, and an AI and biometrics strategy announced in June. This strategy includes increased scrutiny and the development of a statutory code of practice for organisations developing or deploying AI.

Sandbox initiatives

The ICO has developed regulatory sandboxes and innovation hubs to support organisations in developing new products and services in a compliant manner. These initiatives are likely to expand, particularly in areas such as AI, health data, and digital identity, helping to foster innovation while ensuring privacy protections are maintained.

Data protection enforcement

The ICO is currently consulting on draft guidance to its data protection enforcement. The guidance aims to provide increased clarity about how the ICO will use its enforcement powers – including powers introduced in the DUAA – in non-criminal cases. It sets out the ICO’s approach in much greater detail than the 2018 Regulatory Action Policy it will replace. While there may be changes when the final form of the guidance is published, some businesses are already reviewing their compliance strategy and processes in the light of the ICO’s proposals.

previous page

9. HM Revenue & Customs

next page

11. Medicines and Healthcare products Regulatory Agency

More insights
Commercial Data Protection & Freedom of Information Antitrust, Competition & Trade Banking & Finance Construction & Engineering Consumer Products Corporate Dispute Resolution Employment, Labour & Pensions Energy & Climate Change Environment ESG Financial Services & Regulation Funds Hospitality, Travel & Leisure Infrastructure & Projects Insurance Intellectual Property Life Sciences & Healthcare Legal Services Unit Private Equity Public Procurement Real Estate Tax TMT - Technology, Media & Telecommunications

Explore more

International
Expert Guide
Autonomous vehicles law and regulation in the United Kingdom
9 min read
United Kingdom
Publication · 15 Jan 2026
Regulation nation?
1 min read
United Kingdom
United Kingdom
Event · 12 Feb 2026
The Class Ceiling
Back to top
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.