A fresh forward look from the ICO

On 26 February I was one of a small group invited to join an overview of the ICO’s forward direction in this period of transition from the solo Commissioner to an organisation directed by its new board.

This was our first visit, organised by TechUK, to the ICO’s unmarked London HQ and its meeting room looking out to the River Thames and its background of London’s iconic city skyline. We were there to meet the ICO’s Chief Executive, Paul Arnold MBE (appointed in June 2025) who has worked at the ICO for decades with several Commissioners. I had never met him, despite getting to know all the Commissioners and meeting them several times during their terms of office. They have relied on his vital organisational skills.

The March edition of PL&B UK Report is full of articles and news on how the Data Use and Access Act 2025 is being interpreted and implemented, but this round table discourse provided insights not included in the ICO’s usual information output.

ICO’s new governance strategy

The starting date of the new legal status of the ICO’s transition from Corporation sole to Information Commission is expected to be announced in the next month or two. The main point is that it will be an Executive Board with legal authority and responsibility and will be chaired by John Edwards in the first instance, rather than his current role as the sole Commissioner advised by the management board. There will be seven Non-Executive Directors whose names have not yet been announced by the government. As Chief Executive, Arnold will be a member of the board and accountable to it.

Arnold said that the ICO25 Strategic Plan still applies this year, although the document’s name has been overtaken by the passage of time! As complaints have gone up from 40,000 to 66,000 over the last two years, his view is “the ICO can’t be there for everyone always” so inevitably it is “putting maximum effort into upstream regulatory space” which means “rethinking traditional services.” The ICO’s direction is to encourage the growth and value of data by “building trust in the data eco-system” and developing the use of data by working with other regulators, all helped by the new law. He gave the example “people benefit from joined-up health services.”

The ICO will speak with “a different tone of voice.” Arnold provided a metaphor that the ICO is not there to set speed limits in the use of data. Organisations and individuals should not be constrained by “risk aversion” but rather should be able to do what the law allows. He connected overcoming companies’ lack of confidence in how to use data as part of the ICO’s contribution to the government’s economic growth strategy.

He made it clear that this new direction would not mean that the ICO is forgetting enforcement. Although “most organisations are trying to do the right thing” the ICO “must take clear action in tackling organisations with a criminal mindset.”

One of the ICOs clear priorities is stakeholder engagement, which is a vital opportunity for diverse groups to influence the ICO’s strategy and direction.

Building transparency and trust in Artificial Intelligence

William Malcolm, the ICO’s relatively new Executive Director Regulatory Risk & Innovation, appointed last year, added that the ICO needed to do a better job to explain regulatory interventions. He wanted the ICO to build transparency and trust in Artificial Intelligence and use of data in public services, continuing its work on protecting children and building cyber resilience. He said that the ICO is waiting for the government’s Department of Science, Innovation and Technology (DSIT) to draft Statutory Instruments under the DUAA which would enable the ICO to publish statutory codes, for example on AI. He wants the public to understand and accept AI, debunk AI myths and overcome a widespread lack of understanding of what AI can do. The ICO would publish in late March a report on automated decision-making in the recruitment area, an example of “the ICO building strong regulatory products.”

ICO neutral on tech

It was he who put his name representing the ICO to the Joint Statement on AI-Generated Imagery and the Protection of Privacy published by the Global Privacy Assembly's (GPA) International Enforcement Cooperation Working Group (IEWG). It was published on 23 February and signed by 61 authorities. The document reflects the ICO’s balanced views:

“While AI can bring meaningful benefits for individuals and society, recent developments - particularly AI image and video generation integrated into widely accessible social media platforms - have enabled the creation of non-consensual intimate imagery, defamatory depictions, and other harmful content featuring real individuals. We are especially concerned about potential harms to children and other vulnerable groups, such as cyber-bullying and/or exploitation”(1)

Paul Arnold added “the ICO does not say tech is good or bad” and shared his personal experience of being severely visually impaired.(2) He shared with the group that he clearly benefits from his smart glasses. Malcolm added that the legality of the use of smart glasses “depends on their actual use in the domestic and public sphere.” He expects organisations to prepare a Data Protection Impact Assessment before launching such products.

On the ICO’s own use of tech tools, its chatbot(3) helps deal with the increasing mass of questions and complaints. Arnold explained “the ICO wants to provide a safe use of tech, the same as those we regulate.”

Answering a question on the future role of fines, Arnold responded by saying that “A fine takes longer to implement and incurs the ICO in heavy legal costs. I want fines to be secondary. A fine is a regulatory tool to achieve an outcome.”

International transfers

Unspoken was the question of asking when DSIT would conclude its assessment of the European Area Member States. Should they and the EU’s current list of “adequate” jurisdictions be part of the government’s study of whether they are “not materially lower” from the UK’s perspective? I suggested to a senior DSIT official last October that this was not a good use of his staff’s skills and time. He responded that this work is what the DUAA requires but agreed that closer coordination with the European Commission on these assessments would avoid duplication.

I expect that DSIT will soon announce mass approval of all the 40+ member states of the EEA and its current list of “adequate” jurisdictions. DSIT expert staff can then devote their energies to assess the countries on the EU’s potential list such as Kenya and California, and then some other jurisdictions.

A weakening of privacy rights?

I said that privacy advocates are concerned that the ICO’s embrace of the government’s economic growth strategy means a weakening of the ICO’s commitment to privacy rights. Arnold and Macolm agreed that the steps the ICO is taking would reduce business costs and are consistent with an increase in trust in the use of data. The ICO’s efforts regarding cyber resilience should reduce the number and severity of ransom attacks which drain money from the legal economy towards the criminal world.

And finally …

The ICO is returning to its geographical roots this autumn by moving its HQ from Wilmslow to Oxford Road, in central Manchester, the location of the National Computing Centre. It was from there that Eric Howe, Deputy Director, was recruited in 1985 to be the first Data Protection Registrar and where I phoned him the next day to introduce myself.(4)

Someone asked whether the ICO would retain the ICO name when it transitions into the Information Commission? Yes, as the ICO is recognised across the world.

Looking ahead

Looking forward, we have many highlights in this 40th year, including:

• 5 March: PL&B’s AI Workshop, How to Deploy AI Within a Data Legal Framework, in association with and hosted by Browne Jacobson in Birmingham with the results of our related survey conducted by international research company, Ipsos.
  • Online places are still available but we have a waiting list for in-person places.
• 14 May: PL&B’s Ireland and EU privacy/digital laws: New horizons in association with, and hosted by, McCann FitzGerald in Dublin.
  
  • Speakers will include Michael McGrath, European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection; and Dr Des Hogan, Ireland’s Commissioner for Data Protection, and two Deputy Commissioners.
  • PL&B Report subscribers can register for free.
• 6-8 July: The title for PL&B’s 39th International Conference at St. John’s College, Cambridge is Digital Regulation: The Fundamental things apply – the programme will be announced this month.

Keep watching our website for further details. Early bird registration is now open.

We look forward to meeting you at these events, both in-person and online.

Stewart Dresner
Publisher, Privacy Laws & Business

March 2026