The Information Commissioner's Office (ICO) is the UK's data protection watchdog charged with enforcing a host of laws that regulate communications, networking and data protection, although the organisation is most renowned for its role in enforcing the EU's General Data Protection Regulation (GDPR). The ICO is tasked with making sure that businesses within the UK are compliant with strict data protection principles.
The regulator has a number of roles and responsibilities, including investigating organisations that have suffered data breaches, imposing penalties where appropriate, and generally auditing companies for their data collection and storage practices. The ICO also regularly publishes reports on the state of data protection in the UK, emerging threats to the landscape and updates to how it operates.
A number of large organisations have felt the wrath of the ICO in recent years, with Uber, Equifax and Facebook are among the companies issued with maximum fines under the previous legislation. The prospect of massive fines under GDPR, however, have made businesses more alert to reporting incidents, with the watchdog revealing recently that companies were over-reporting data breaches, seemingly out of fear of being as compliant with the legislation as possible.
The history of the ICO
Founded in 1984 as the Data Protection Registrar, the first leader of the organization was Eric Howe. Howe created the first database – the register of data users after the introduction of the Data Protection Act 1998 (DPA). Howe's work raised public awareness around the importance of data protection and the ways businesses collect data about their customers and commercial partners.
Howe was instrumental in raising the profile of the Data Protection Registrar, leading the prosecution of several companies that were found to have inadequate systems to protect the personal data they were collecting. These prosecutions sent a message to all businesses that the registrar had the power to investigate and fine companies in breach of the DPA. Howe retired in 1994 after being awarded a CBE for his services.
In the 1990s, the registrar conducted an internal audit to define further its role in society and its relationship with businesses. This work also ensured that the registrar could adequately enforce the Data Protection Act, which came into force in 1998. In 2000, the Data Protection Register changed its name to the Information Commissioner's Office (ICO) to reflect the changes in the collection, storage, manipulation, exchange, and sale of data. The ICO also began to oversee the Freedom of Information Act.
The ICO we know today has a head office in London, with additional offices in Scotland, Wales and Northern Ireland. With a staff of over 500, the ICO is led by the Commissioner, John Edwards, who took up his post on 3 January 2022. The management board of the ICO also includes several deputy commissioners and non-executive directors.
The ICO is primarily funded through the data protection fees paid by organizations, which account for over 85% of its annual expenditure. Government grants-in-aid supplement this funding to support the ICO's regulation of other laws. Under the Data Protection Act 2018, organizations processing personal data must pay a data protection fee unless exempt. Personal data includes information such as names, addresses, or telephone numbers.
From 1 April 2022 to 31 March 2023, the ICO collected approximately £66 million through the data protection fee, up from £62 million in the previous year. Additionally, the ICO's regulation of other legislation is funded by grant-in-aid, receiving £10,298,000 from April 2022 to March 2023, compared to £7,578,000 in 2021/22.
Who is the Information Commissioner?
The Commissioner is the most senior official at the ICO. Appointed by the Crown, there have been six Commissioners:
| Eric Howe | 1984 - 1994 | The first Data Protection Registrar |
| Elizabeth France | 1994 - 2002 | She continued as the Data Protection Commissioner when the titled changed |
| Richard Thomas | 2002 - 2009 | The first to serve under the title of Information Commissioner |
| Christopher Graham | 2009 - 2016 | Notable for introducing significant enforcement powers |
| Elizabeth Denham | 2016 - 2021 | Played a vital role during the implementation of GDPR. Denham was also instrumental in the investigation into privacy rights that led to the fine of $260,000 (£200,000) against Aaron Banks and Vote. Leave over marketing breaches |
| John Edwards | 2022 - present | The current Information Commissioner, focusing on post-Brexit data protection challenges. Marketing campaigns have again been scrutinized, such as a sanction against HelloFresh, which failed to manage offer opt-outs correctly |
The Commissioner is also not a neutral party. Able to influence debate and even policy, the Commissioner oversees data privacy rights.
For example, with the rise of LFR (live facial recognition) technologies, the Commissioner openly stated that the technology poses "a potential threat to privacy."
In a blog post, then Commissioner, Elizabeth Denham, said: "We understand the purpose is to catch criminals. However, these trials also represent thousands of people's widespread processing of biometric data as they go about their daily lives. I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate, and effective considering the invasiveness of LFR."
What are the responsibilities of the ICO?
The key responsibility of the ICO is to enforce the Data Protection Act 2018 and, by extension, GDPR. However, the ICO is also the enforcement organization for several other pieces of legislation, including:
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- The Freedom of Information Act 2000
- Environmental Protection Public Sector Information Regulations 2004
- Investigatory Powers Act 2016
- Enterprise Act 2002
- The eIDAS (Electronic Identification and Trust Services) Regulation 2014
- Re-use of Public Sector Information Regulations 2015
- The Network and Information Systems Regulation 2018
All of these regulations have the collection and management of data at their core. The ICO, in effect, policies these Acts and regulations to safeguard personal privacy in an environment where data has become highly valuable. The lesser-known eIDAS is important to oversee, as this regulation governs the use of cookies and how digital services are secured.
What powers does the ICO have?
When GDPR came into force, many news headlines covered the substantial fines businesses could face for any breach of the regulations.
The maximum statutory fine is $23 million (£17.5 million) or 4% of the business's annual turnover – whichever is the higher.
In 2023 alone, ICO fines topped $18 million (£14 million), with the largest fine being handed to TikTok for breaching the personal data privacy of children using their platform. The reality is that the ICO will consider many factors before deciding on the level of fine for the breach or infringement.
The ICO states: "Fines aren't suitable for every breach. Our fines and penalties may grab the headlines, but we know that our work with organizations, helping you to make changes and improvements to comply with the law, is the most effective way of reducing mistakes and misuse of people's data. We're here to help you get data protection right, through our events and our support and advice services. If things go wrong, we want to work with you to decide what improvements we expect from you and provide advice to help you get it right in the future."
Recently, the ICO has been consulting on its Data Protection Financing Guidance, which closed in November 2023. The results of this consultation and the responses from the ICO should be read by all data controllers to understand the five-point process the ICO will use to decide on the appropriate level of fine.
The ICO's powers are far-reaching. The Commissioner can comment on legislation and technologies in development that could impact data privacy. The ICO often makes spot checks to assess how businesses are managing their data protection responsibilities, such as whether DPIAs (Data Protection Impact Assessments) are being carried out regularly.
As a data privacy watchdog, the ICO can prosecute or levy fines. However, the ICO has always striven to avoid being too adversarial. Indeed, it has developed many resources to help businesses more easily comply with data protection regulations.
How the ICO plans to adapt to new technology
The ICO must adapt to rapidly evolving technological and regulatory landscapes to meet future data privacy needs. This includes the rise of artificial intelligence (AI), machine learning, and the Internet of Things (IoT). This will require developing advanced technical expertise to evaluate and regulate these technologies, ensuring they are used responsibly and ethically.
With data flows crossing borders, aligning with global data protection standards and fostering cooperation with international regulators will be crucial. This can help address the challenges posed by global data breaches and multinational corporations' data practices. Empowering individuals with knowledge about their data rights and how to protect their personal information is essential. The ICO can enhance its outreach programs and leverage digital platforms to engage with the public more effectively.
As the value of personal data increases, the large data aggregators will continue to come under the spotlight of the ICO. Meta's plans to train AI's on the personal data they hold of billions of users was tempered by the ICO, with Stephen Almond, executive director of Regulatory Risk at the ICO, stating in June 2024:
"We are pleased that Meta has reflected on the concerns we shared from users of their service in the UK and responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI. In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset. We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of UK users are protected."
John Edwards on AI and emerging technology
The ICO will oversee emerging technologies that are built on large datasets. Indeed, a speech given by Commissioner John Edwards began by focusing on the phenomenal expansion of ChatGPT.
Edwards stated: "People were simultaneously amused by the novelty of it and unnerved by its power. Questions started being asked about where ChatGPT was getting its information from and the pros and cons of using personal data to train the model. Our colleagues in Italy, the Garante, banned ChatGPT due to concerns over how it used people's personal information.
"AI and emerging tech can be a massive force for good. The strides forward we've made in terms of healthcare, productivity, and transportation have been massive.
However, organizations that use these technologies must be transparent with their users about how their information will be processed. It's the only way we continue to reap the benefits of AI and emerging technologies. I said at the end of last year that 2024 cannot be the year that people lose trust in AI. I stand by that statement today.”
Edwards concluded: "Ever since the ICO's inception in 1984, data protection law has been the principal form of regulation for new technologies. The same principles apply now as they always have – you need to look after people's information, be transparent about how you're using it and ensure its accurate."
Enterprise Data Strategy (ICO25)
As the future of data privacy evolves, so too has the ICO. In 2022, the organization launched its Enterprise Data Strategy (ICO25) to ensure it would be ready as a regulator to manage the fast pace of technological change taking place as you read this.
The Commissioner states: "As a regulator, we're shifting our guidance away from 'don't do' to 'how to'. In a similar way, our data strategy is setting an ambitious vision to 'show, not tell'. We aspire to be an exemplar for responsible innovation in the use of data – one that can inspire and guide others through our own transformation."
