From the ICO to the Information Commission

Written by Mark Farrell

The Data (Use and Access) Act 2025 introduces one of the most significant changes to UK data protection regulation in years, transforming the Information Commissioner’s Office (ICO) into the Information Commission. In this article, Mark Farrell examines the governance reforms, expanded regulatory remit, enhanced enforcement powers and what organisations should expect from the UK’s evolving data protection regulator.

From the ICO to the Information Commission: What the Change Really Means

By Mark Farrell, Data Protection Consultant at Data Protection People

In this article: Mark Farrell explores how the Data (Use and Access) Act (DUAA) 2025 will transform the ICO into the Information Commission, examining changes to governance, enforcement powers, accountability, complaints handling and what organisations should expect from the UK’s evolving data protection regulator.

With the Information Commissioner’s Office (ICO) announcing temporary governance changes in response to the ongoing workplace investigation into current Commissioner John Edwards, it seems an appropriate moment to delve into the permanent governance changes that are set to take effect under the Data (Use and Access) Act (DUAA) 2025 later this year (date yet to be confirmed).

The UK data protection regulator’s formal transition from the ICO to the Information Commission is a structural evolution that will not change the fundamental role and responsibilities of the regulator. The DUAA amends references to ‘Information Commissioner’ to the ‘Information Commission’ so all existing functions transfer over.

However, the change represents more than mere rebranding. The way the regulator is constituted, governed and held to account is changing in a significant way. The narrative around DUAA often focuses on the organisational perspective, reduction in regulatory burden, simplification of certain requirements and greater flexibility to process personal data, but what is the view for the regulator?

Towards Board Governance

Moving from a governance structure built around a corporation sole (the Information Commissioner) to a body corporate (the Information Commission) modernises the UK’s data protection regulator, bringing it into alignment with other domestic regulators such as Ofcom and the Competition and Markets Authority (CMA).

Whilst the Information Commissioner had the final say in decision making, once in place the Information Commission will operate with a board comprising the Chair of the Information Commission, a chief executive officer, and other non-executive and executive members who will share decision-making responsibilities.

The impact of this structural change will be to make the regulator less personality-led and more framework-led. A corporation sole should (in theory at least) offer decisiveness, but as we have seen, is also liable to make regulatory tone and emphasis dependent on one individual’s instincts, leading to data protection laws “varying with the length of the Commissioner’s foot.”

Data protection regulation in the current age requires not just authority, but governance, oversight and expertise. A board structure brings all three, as well as greater resilience, continuity in strategy and a broader range of perspectives. Having a wider range of views factored into the regulator’s approach aligns with the formal expansion of the ICO’s regulatory priorities under the DUAA.

Beyond Protecting Personal Data

The DUAA introduces a fresh strategic framework for the regulator when carrying out its functions, entailing a principal objective supported by several other key areas. The primary duty remains to secure an appropriate level of protection for personal data, alongside a new additional requirement to promote public trust and confidence in the processing of personal data.

The other factors outlined in the DUAA updates which the Commission must have regard for when undertaking its tasks and responsibilities are not new priorities per se but rather existing areas of focus for the ICO which now gain formal recognition and reinforcement as key areas that should be considered within the Commission’s overall remit including:

the desirability of promoting innovation;
the desirability of promoting competition;
the importance of the prevention, investigation, detection and prosecution of criminal offences;
the need to safeguard public and national security;
the fact that children merit specific protection with regard to their personal data.

This broadening of official regulatory remit is in recognition of the data protection regulator’s role no longer being confined to data breaches and individual rights but increasingly entailing supervision across emerging areas of public concern such as artificial intelligence, children’s data, biometrics, online tracking, cross-regulatory coordination and the relationship between data protection, competition and innovation.

In addition to these expanded areas of focus is also the duty for the Commission to consult other regulators regarding economic growth, innovation and competition, which will presumably take place through the existing DRCF (Digital Regulation Cooperation Forum) which brings together the ICO, Financial Conduct Authority (FCA), Ofcom and the CMA (Competition and Markets Authority).

This signals a move away from data protection being treated as a standalone compliance issue and toward a more joined-up regulatory model in which privacy, competition, innovation and online safety are assessed alongside one another. In practice, this increases the likelihood of coordinated regulatory expectations, shared intelligence and scrutiny across regulators, meaning organisations may face a more consistent but also more demanding regulatory environment.

The Commission will be held accountable on this new remit by greater transparency requirements introduced by the DUAA, requiring the Commission to publish an annual analysis of its performance and report on regulatory action including the nature of investigations, time taken and powers used. Requiring the regulator to explain not only what it prioritises but how efficiently it uses its powers and resources is intended to create a more publicly accountable institution.

As well as factoring these considerations into its decision making, the Information Commission will also have a range of DUAA changes to oversee which are motivated by these considerations.

The Enforcement Forecast

The ICO’s recent enforcement track record has remained broadly aligned to the primary objective of protecting personal data, data rights and upholding public trust, with many headline sanctions pertaining to data security breaches, including the Capita, Advanced Computer Software, 23andMe and LastPass fines.

However, recent action taken against TikTok and Reddit centred on proactively protecting children’s data points to the ICO broadening its focus beyond data security breaches, reflecting the wider regulatory priorities formalised by the DUAA. Indeed, children’s data is best viewed not as one priority among many but as an increasingly cross-cutting theme across all the newly formalised regulatory priorities.

The extent to which the enforcement picture will change following the increased monetary penalties for PECR breaches, which brings this regime in line with the UK GDPR, is debatable.

It is likely that the threshold increase is focused on the deterrent effect, with the original threshold seemingly not providing enough in this regard.

The overall trend of enforcement action in recent years, despite the ICO’s public sector approach, has been upward and it is likely to continue on this trajectory, especially in view of the new enforcement procedural guidance which is set to replace the 2018 Regulatory Action Policy and will determine how the ICO operates in view of the expanded powers conferred by the DUAA.

Enhanced Evidence Gathering

The headline changes in terms of new ICO (and soon to be Information Commission) evidence gathering capabilities conferred under the DUAA are powers to:

Compel production of specific documents
Compel a witness to attend an interview
Request technical reports

These powers strengthen the regulator’s evidence gathering tools in response to investigative challenges.

For the regulator, the power to mandate production of a report by an approved person at the cost of the organisation and with specific subject matter, form, manner and date of preparation, should free up capacity to investigate and sanction more organisations.

There is the potential for these reports to become more easily available to claimants than other internally produced equivalents, and one would suspect they could be highly advantageous for advancing legal claims.

Complaints: Lightening the Regulator’s Burden

The overall intention of the DUAA complaints changes is not only to increase the obligation and responsibility on organisations for resolving data protection complaints raised by individuals but to in turn reduce the burden placed on the ICO by the large volume of complaints made to it.

In tandem with the DUAA complaints changes, the ICO has published a new framework on how it handles complaints, targeted at more effectively managing the large and increasing volumes of complaints received.

The overall aim of the framework is to focus resources on cases where the ICO can have the biggest impact and where issues align with strategic priorities.

Conclusion

The government and the ICO have presented the DUAA as a reform package focused on promoting innovation, supporting growth and making compliance easier for organisations.

There is truth in that, the Act relaxes and clarifies certain requirements, for example around scientific research, recognised legitimate interests, cookies and automated decision-making, but the transition to the Information Commission shows that simplification is only half the story.

The other half is a regulator designed to be more strategically oriented, better equipped and more assertive in regulatory action.

Organisations, when taking advantage of the greater flexibility permitted by the DUAA, should be mindful that this freedom comes with a string attached, the regulator is better equipped to investigate and penalise should things go wrong.

Ultimately, this is not a shift from more regulation to less but from an older model of data protection oversight to a newer version that is board-governed, strategically accountable and more appropriately calibrated for the emerging pressures of AI, digital markets, children’s privacy and the increasingly sophisticated enforcement picture that follows.

Need Help Preparing for the DUAA?

The Data (Use and Access) Act introduces significant changes for organisations, regulators and data protection professionals. If you need support understanding your obligations, reviewing your compliance programme or preparing for the evolving regulatory landscape, our team can help.

Outsourced DPO Services | Data Protection Support Service | GDPR Audits | Contact Us

Mark Farrell is a Data Protection Consultant at Data Protection People. Mark specialises in UK GDPR compliance, information governance, regulatory developments and the practical application of data protection law. He regularly advises organisations on emerging legislative changes, enforcement trends and regulatory risk management.

For more discussions on UK GDPR, data protection and regulatory developments, explore the Data Protection Made Easy Podcast.

Speak to an Expert

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

Expert support when you need it most