Changes at the ICO
What does the transition to becoming a Commission mean in practice?
The UK’s Information Commissioner’s Office is transitioning into an Information Commission during the course of 2026. This change replaces the ‘corporation sole’ structure where a single Commissioner held decision-making power and moves the regulator to a corporate board structure with shared decision-making responsibilities across a Chair, Chief Executive and Executive and Non-Executive Directors. This brings the ICO in line with other regulators such as Ofcom and the Competitions and Markets Authority (CMA).
This structural change will not fundamentally change the role and responsibilities of the regulator; all existing functions will transfer over from the Commissioner to the Commission. However, it will significantly change the way the regulator is governed and held to account.
The ability to take decisive decisions is seen as a key benefit of having a Commissioner, but in practice it can lead to one person’s views and personal priorities driving the agenda. This has been clear to see in the stark contrast between the tenure of the previous Commissioner, Elizabeth Denham, and that of the recently departed John Edwards. The anticipated benefits of a corporate board structure will be broader governance and oversight, more rounded expertise and range of fresh perspectives.
The transition to a Commission was ushered in by the Data (Use & Access) Act 2025, which also introduced a revised strategic framework for the regulator. While the primary duty remains of ensuring an appropriate level of protection for personal data, moving forward there will firm secondary objectives. These include;
⏹ promoting trust and confidence,
⏹ promoting innovation,
⏹ supporting competition,
⏹ safeguarding public and national security,
⏹ prevention, investigation, detection and prosecution of criminal offences, and
⏹ recognising the specific needs of children.
While these objectives are not necessarily new priorities for the ICO, they now enjoy formal recognition. This framework recognises a data protection regulator can’t operate in isolation, confined to focusing on data breaches and privacy rights, but needs to adapt to emerging trends in areas such as artificial intelligence, biometrics and online tracking. The Commission will also be under a duty to consult with other regulators in relation to economic growth, competition and innovation.
The Commission is being given enhanced powers to gather evidence, such as compelling organisations to provide specific documents, compelling witnesses to attend an interview and the ability to request technical reports.
There’s also been a shift in relation to data protection complaints. It’s fair to say the ICO has been swamped with complaints and ineffective at handling them. There’s now an increased obligation and responsibility on organisations to resolve data protection complaints initially with individuals, to ease the burden placed on the ICO.
Commissioner John Edwards was accused by some of taking a relaxed attitude to enforcement. The reprimand-only approach to the public sector was much criticised. Ultimately, we will have to wait and see whether having a Commission, results in more or less enforcement action.
Thankfully, it looks like we don’t need to start using the term ‘IC’. I understand the branding will remain unchanged, with the regulator still known as the ICO – the Information Commission (Office).