The Information Commissioner's Office is being replaced by the Information Commission. Most people will notice the name change and nothing else. The structural shift underneath is more significant.
What's actually changing
The ICO has always been a "corporation sole," meaning one person, the Information Commissioner, holds all the authority. Every decision, every enforcement action, every strategic call ultimately sits with a single officeholder. That model is being retired.
Under the Data (Use and Access) Act 2025, the ICO becomes a body corporate with a board. The Commissioner becomes the Chair, a non-executive role. A CEO runs the day-to-day. Board members share decision-making. It starts to look like other UK regulators such as the CMA or Ofcom.
Paul Arnold MBE, previously the ICO's Deputy Chief Executive, has been appointed as the first CEO on an interim two-year basis. The governance provisions haven't been commenced yet, but the transition is expected in spring or summer 2026.
New objectives
This is the part worth paying attention to.
The Information Commission gets a new statutory principal objective: securing appropriate levels of personal data protection while promoting public trust and confidence in how data is processed. That much is familiar.
What's new is a set of secondary duties. The Commission must now also consider promoting innovation and competition, supporting criminal investigations, safeguarding national security, prioritising children's data protection, and consulting other regulators on economic growth.
Adding growth and innovation to a data protection regulator's remit is a deliberate signal. It doesn't weaken the data protection mandate, but it does change the lens through which decisions are made. Expect the Commission to think more explicitly about whether its guidance helps or hinders businesses, particularly smaller ones.
New enforcement tools
The Act also gives the Commission sharper teeth in a few areas.
Organisations must have a complaints procedure in place by 19 June 2026, and the Commission must acknowledge complaints within 30 days. There are expanded powers to issue assessment notices, including commissioning technical reports. And the Commission can now require people to attend mandatory interviews.
None of this changes what you need to do day to day. But it does mean the regulator will be faster to act when things go wrong.
What you need to do
Not much, right now. You don't need to rush out and update every privacy policy and data processing agreement that mentions the ICO. The Reed Smith guidance on this is sensible: update references as documents come up for renewal rather than treating it as an urgent project.
What is worth noting is the direction. The UK's data protection regulator is being given a broader remit, a more professional governance structure, and stronger enforcement tools. If you've been treating data protection as a box-ticking exercise, the new Commission is being set up to notice.
← All filings