ICO safe AI innovation plan: certainty, not deregulation
In short: the ICO safe AI innovation plan, published on 29 May 2026, sells regulatory certainty, not deregulation. It answers the government’s January 2026 request for a plan by the end of May and builds on the June 2025 AI and biometrics strategy. It changes the ICO’s posture, not the law: for UK data controllers, the obligations are already in force.
A UK business deploying artificial intelligence wants one thing from its regulator: to know where it stands. The Information Commissioner’s Office gave its answer on 29 May 2026, when it published its plan for enabling safe AI-powered innovation. The plan answers a joint request from the Technology and Business Secretaries, builds on the regulator’s June 2025 AI and biometrics strategy, and rests on a single idea: that certainty, not lighter regulation, is what lets organisations adopt AI with confidence.
The regulators and growth agenda behind the plan
On 28 January 2026 the Technology Secretary, Liz Kendall, and the Business Secretary, Peter Kyle, wrote jointly to 19 regulators. The joint letter asked each regulator to publish a plan by May 2026 setting out how it would enable safe AI-powered innovation, and to report on progress every year. It framed AI as a route to growth and asked regulators to keep a clear focus on safe adoption, act proportionately, and remove unnecessary barriers.
The letter set out four steps. Regulators should publish guidance on how existing rules apply to AI; make their processes and approvals fit for AI-enabled products, including those that update after approval; consider whether anonymised or synthetic datasets could support AI development; and create sandboxes where regulatory uncertainty holds innovation back. The ICO was already on this ground. The Information Commissioner wrote to the Prime Minister on 16 January 2025 with a set of growth commitments, the first of which was giving businesses regulatory certainty on AI, and the ICO updated government on progress in February 2026.
What the ICO safe AI innovation plan commits to
The ICO set two objectives and a list of actions. The objectives are public confidence in how AI uses personal data, and clarity for organisations on what data protection law requires when they deploy AI, including AI agents. The actions sit underneath those objectives and run across the next 12 months.
The ICO committed to develop an AI and automated decision-making (ADM) statutory code of practice and to publish guidance on how agentic systems meet UK GDPR requirements. It will produce a transparency resource to help small and medium-sized enterprises and public bodies carry out data protection due diligence when they buy off-the-shelf cloud AI tools, and a plain-language guide to help the public make informed choices about how online AI tools use their data. It will also streamline and rebrand its Innovation and Sandbox services so they are simpler to reach, and support the government’s AI Growth Lab. The ICO said it would publish fuller detail in a new AI strategy in the coming months.
The ICO was explicit about the principles that shape this work: maximising clarity, reducing friction, and building public trust in the responsible use of data. That is the heart of the plan. None of it changes the law. The automated decision-making regime in Articles 22A to 22D of the UK GDPR was brought into force on 5 February 2026 by commencement order (SI 2026/82) under the Data (Use and Access) Act 2025. The statutory duty behind the AI and ADM code of practice followed on 12 May 2026 (SI 2026/425). New complaint-handling duties on data controllers under section 164A of the Data Protection Act 2018 apply from 19 June 2026. The plan tells organisations how the ICO will apply those rules. It does not move them.
| Government ask (28 January 2026) | ICO commitment (29 May 2026) |
|---|---|
| Guidance on how existing rules apply to AI | Develop an AI and ADM statutory code of practice; publish agentic AI guidance under the UK GDPR; publish a transparency resource for SMEs and public bodies procuring off-the-shelf AI |
| Processes and approvals fit for AI | Streamline and rebrand the Innovation and Sandbox services |
| Anonymised or synthetic datasets | Not addressed directly; support the government’s AI Growth Lab |
| Sandboxes | Rebuild the sandbox and support the AI Growth Lab |
| Report annually | Report on progress through quarterly corporate reporting |
What it means for UK data controllers
For UK data controllers, the plan changes what to expect from the ICO, not what the law requires. The obligations are already live. A data controller running solely automated decisions with legal or similarly significant effects must still meet the conditions in Article 22B and put in place the safeguards in Article 22C, and must run a data protection impact assessment where the processing is high risk. The growth framing does not lower that bar.
What changes is the help on offer and the route to an answer. The work to track is the AI and ADM code of practice, the promised guidance on agentic AI, and the transparency resource aimed at procurement. The rebuilt sandbox and the AI Growth Lab offer organisations a shorter route to answers on hard compliance questions. A sandbox can shorten the route to certainty. It does not give a data controller a lighter standard. If you are working out how data protection law applies to an AI system you are building or buying, our AI and data governance advice page sets out how we help. For the wider context, our guide to UK AI regulation explains the sector-led approach, and our analysis of the ICO AI and biometrics code covers the statutory duty.
Viewpoint
The ICO has read the government’s growth instruction correctly. Certainty is the lever that moves AI adoption, and the regulator is right to put public trust at the centre of how it gets there. A data controller that hears “growth” and eases its lawful-basis discipline will find the ICO’s posture no protection when something goes wrong. “Growth” is not “lighter touch”, and the plan does not say it is.
Frequently asked questions
Does the ICO safe AI innovation plan change UK data protection law?
No. The plan sets out the ICO’s approach, not new law. The duties sit in the UK GDPR and the Data (Use and Access) Act 2025. The Article 22A to 22D automated decision-making regime took effect on 5 February 2026, and the statutory code of practice duty on 12 May 2026. The plan tells organisations how the ICO will apply those rules.
What did the government ask the ICO to do?
On 28 January 2026 the Technology and Business Secretaries asked 19 regulators to publish a plan by May 2026 for enabling safe AI-powered innovation, and to report on progress each year. The letter set out four steps: guidance, AI-ready processes, datasets, and sandboxes. The ICO published its response on 29 May 2026.
What is the AI and ADM code of practice?
It is a statutory code the Information Commissioner is now under a duty to produce, covering organisations that develop or deploy AI and automated decision-making. The duty took effect on 12 May 2026 and the code is in development. It will provide clarity on how data protection law applies to AI and ADM. It does not create new obligations.
Will the ICO sandbox make AI compliance easier?
The sandbox and Innovation services are designed to give faster answers to hard compliance questions, not a lower standard. The sandbox can shorten the route to certainty for a novel AI deployment. The underlying data protection requirements, including lawful basis and the Article 22 safeguards, still apply in full.
How we can help
Bratby Law advises data controllers, technology providers and investors on how UK data protection law applies to AI products and deployments. If you are assessing what the ICO’s plan means for an AI system you are building or buying, contact Rob Bratby at Bratby Law.
