A forthcoming update to the UK General Data Protection Regulation (GDPR) is about to introduce major changes in the governance of the Information Commissioner’s Office (ICO).
The national data protection regulator will move from a single-leader model – under the status of corporation sole, with a commissioner at its head – to a board-run government agency.
This shift is designed to meet the agency’s growing scope and expanding workload and bring more diverse expertise to data protection.
Paul Arnold, who has been working at the ICO for the past 28 years, was named the first CEO of the new ICO structure in the summer of 2025.
Speaking at the International Association of Privacy Professionals’ (IAPP) Intensive London event on February 25, Arnold explained that the ICO has become “one of the biggest regulators in the UK,” alongside Ofcom, the FCA and the CMA.
“The idea that all of the agency’s responsibilities are vested in one human being is almost preposterous,” he said.
John Edwards, the UK’s current Information Commissioner, announced at the IAPP event that the structural shift will be fully materialized “within the next few weeks.”
While the exact date has not been confirmed, these changes will be baked into the Data (Use and Access) Act 2025 (DUAA), a new data protection regulation that will reform the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
Ensuring “Vital Continuity” to the ICO’s Strategy
Commissioner Edwards will take on the role of the first chair of the new board while members are being selected. He did not specify how long he will stay in this role. Edwards’ five-year term as Information Commissioner is set to expire at the end of 2026.
Looking forward, the new ICO board members, including some non-executive directors and the chair, will be appointed by the UK government.
Arnold said the members’ terms will be staggered so that it ensures “a good, healthy recycling of the board.”
The board members will collectively own the ICO strategy and select which decisions and responsibilities must be escalated to them and which to delegate to executives, including the CEO, who is also on the board.
Arnold outlined three main benefits involved with these changes: the new structure will allow for a more consistent strategy for the ICO; it will help meeting the growing workload of the agency; and it will bring more diversity to the agency’s decision-making.
While Arnold admitted that the previous structure allowed the Information Commissioner to “move quickly” in launching data protection investigations or law enforcement actions, he explained that the workload has now become too large for a single-person leadership.
“With the board, we will have the benefits of the broader governance constructs, without losing the agility of decision making,” he assured the IAPP Intensive London audience.
Read more: ICO’s £14m Reddit Fine Highlights Age Check Privacy Concerns
Additionally, he said the new board structure will give the ICO “vital continuity,” as there will no longer be “a cliff edge approaching as we get towards the end of a Commissioner’s term.”
“The previous paradigm meant that one person arrived with their vision for what the organization will do and then another individual arrived five years later with their own vision, which can be different. That can be tricky for business security and privacy practitioners to navigate.”
Another key driver for the transition was to bring more diversity.
“It’s important to introduce more diversity of thoughts, for more diverse perspectives means better, stronger decisions for the organization,” Arnold added.
What the ICO Changes Mean for UK Businesses
Arnold said the changes within the ICO should not impact the collaboration between the agency and UK businesses.
However, he said he wanted to lead the ICO to be more transparent about both its responsibilities and scope and the decisions the organization takes in the future.
“You can expect us to be more intentional, deliberate and transparent about the rationale for each regulatory intervention,” he promised.
While these internal changes will not directly affect UK businesses, the DUA Act also introduces new legal and operational changes in data protection laws in the UK, including updates to legitimate interests, automated decision-making, commercial research and new enforcement powers to the ICO.
These include:
- New investigatory and compulsory powers: compelling witnesses, including senior executives, to answer questions, requiring organizations to produce technical/forensic reports and other technical evidence
- New principal objective: secure an appropriate level of protection for personal data and promote public trust and confidence in data transfers
- Additional secondary duties to consider in decision‑making: promoting innovation, promoting competition, supporting prevention/investigation/detection/prosecution of criminal offenses, consideration of public and national security and recognizing children’s need for specific protection
- Mandate to develop statutory codes (e.g. on AI and related technical areas) once enabling statutory instruments are laid
- Expanded regulatory coordination and remit interaction with other legislation, such as overlaps with cyber resilience rules and potential expansion to cover managed service providers (MSPs) under related laws
Finally, Commissioner Edwards announced at IAPP Intensive London that the ICO will expand its Data Essentials training scheme in “the next couple of months.”
Data Essentials is a free, voluntary pilot launched in 2023 and designed to help small and medium-sized enterprises (SMEs) in the UK understand how to handle personal information safely, legally and responsibly.
Read now: ICO Collects Just 26% of Value of Fines Since 2020
