What Does the ICO Regulate? A Guide to the UK’s Data Protection Regulator

The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights. It enforces the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and several related statutes covering freedom of information, electronic marketing and network security. For any business that processes personal data in the UK, the ICO is the regulator you need to know.

This guide explains what the ICO does, how it enforces the law, and what the Data (Use and Access) Act 2025 (DUAA) changes. It is the second in our series of UK regulator explainers, following our guide to what Ofcom regulates.

What legislation does the ICO enforce?

The ICO’s remit spans six principal pieces of legislation. The UK GDPR and the DPA 2018 form the core data protection framework, governing how organisations collect, store and use personal data. The Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) regulate access to information held by public authorities. The Privacy and Electronic Communications Regulations 2003 (PECR) govern direct marketing, cookies and electronic communications. And the Network and Information Systems Regulations 2018 (NIS Regulations) impose cybersecurity obligations on operators of essential services and digital service providers.

This breadth makes the ICO unusual among UK regulators. It is not a sectoral regulator in the way that Ofcom regulates telecommunications or the FCA regulates financial services. The ICO’s jurisdiction cuts across every sector of the economy because every organisation that processes personal data or holds public information falls within its scope.

Who needs to register with the ICO?

Most organisations that process personal data must pay a data protection fee to the ICO under the Data Protection (Charges and Information) Regulations 2018. The fee is tiered: £40 per year for micro-organisations, £60 for small and medium organisations, and £2,900 for large organisations with turnover above £36 million or more than 250 staff. Failure to pay is a criminal offence under section 108 of the DPA 2018. The ICO maintains a public register of fee payers that anyone can search.

Exemptions exist. Organisations that process personal data only for core business administration purposes such as staff administration and accounts may be exempt. Individuals processing data for personal, family or household purposes are outside scope entirely. In practice, most commercial organisations need to register.

What are the ICO’s enforcement powers?

The ICO has a graduated enforcement toolkit under the DPA 2018. Information notices (section 142) compel organisations to provide information to the Commissioner. Assessment notices (section 146) allow the ICO to inspect an organisation’s data processing operations. Enforcement notices (section 149) require organisations to take or stop taking specified steps. And penalty notices (section 155) impose financial penalties of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.

For PECR breaches, the maximum penalty was historically £500,000. The DUAA 2025 has aligned PECR penalties with UK GDPR levels, meaning nuisance calls, spam texts and cookie violations now attract the same £17.5 million ceiling. This is a material change for direct marketing businesses.

The ICO can also pursue criminal prosecution. Under section 170 of the DPA 2018, knowingly or recklessly obtaining, disclosing or retaining personal data without the controller’s consent is a criminal offence. Section 171 makes it an offence to re-identify de-identified personal data. These are summary-only offences, carrying unlimited fines but not imprisonment.

How has the DUAA 2025 changed the ICO’s powers?

The Data (Use and Access) Act 2025 is the most significant reform to the ICO’s structure and powers since the DPA 2018 replaced the Data Protection Act 1998. Implementation is phased, with provisions taking effect through commencement orders running into 2026.

Three changes matter most. First, the ICO gains a new interview notice power (DUAA section 100), allowing it to compel individuals to attend and answer questions during investigations. Making false statements in response is a new criminal offence. This brings the ICO closer to the investigative powers of financial regulators such as the FCA.

Second, the DUAA imposes a new principal objective on the ICO (section 91): securing appropriate protection of personal data while promoting public trust and confidence. The ICO must now also have regard to innovation, competition and economic growth when exercising its functions. Critics argue this dilutes data protection; the ICO’s position is that it codifies what was already its practical approach. As we noted in our analysis of the DUAA’s enforcement provisions, the new duties sit alongside, not above, the ICO’s enforcement obligations.

Third, controllers must implement a complaints procedure (DUAA section 103) that acknowledges complaints within 30 days and responds without undue delay. The ICO may require controllers to report complaint statistics. This operationalises something that good data governance always required, but it is now a statutory obligation with enforcement teeth.

What does the ICO prioritise in practice?

The ICO publishes a regulatory strategy, most recently under its ICO25 framework. Current enforcement priorities include cybersecurity failures, children’s data protection, AI and automated decision-making, and public sector transparency.

In practice, the ICO’s enforcement activity has shifted. Fewer actions overall but higher-value fines, with a pronounced move away from PECR nuisance-call penalties towards serious UK GDPR security breach cases. This trend signals that organisations processing large volumes of personal data, particularly those with known cybersecurity weaknesses, face the greatest regulatory risk.

For telecoms operators, fintechs and technology businesses, the ICO’s practical focus areas intersect directly with operational risk: data breach notification obligations (Article 33 UK GDPR requires notification within 72 hours), international transfer mechanisms following the UK’s post-Brexit adequacy arrangements, and the use of personal data in AI-enabled products. On that last point, the ICO treats AI regulation as a data protection question, not a standalone regime. Any organisation deploying AI that processes personal data needs to satisfy the same UK GDPR requirements as any other processing activity.

How does the ICO interact with other regulators?

The ICO does not operate in isolation. It has formal cooperation arrangements with Ofcom (on online safety and communications data), the FCA and PSR (on financial data and open banking), the CMA (on data and competition in digital markets) and the DRCF (the Digital Regulation Cooperation Forum, which coordinates the four digital regulators).

The DUAA reinforces this cooperative model. The ICO’s new duty to consult other regulators when considering impacts on growth and innovation (DUAA section 91, inserting new section 120D into the DPA 2018) means that regulatory decisions with cross-sector implications, such as enforcement against a telecoms operator’s data practices or a fintech’s use of open banking data, will increasingly involve multi-regulator dialogue.

Viewpoint

The DUAA reforms represent the most significant expansion of the ICO’s enforcement toolkit since 2018, but the real change is structural. The new principal objective and growth duty will shape how the ICO exercises discretion on every enforcement decision. In our experience advising regulated businesses across telecoms, data and payments, the practical risk is not that enforcement will soften but that the ICO will face greater pressure to justify proportionality in its penalty decisions. Businesses that can demonstrate robust data governance, clear complaints procedures and genuine accountability measures will be better positioned to argue for reduced penalties when things go wrong.

If you are unsure whether your data processing activities fall within the ICO’s remit, Bratby Law can advise on your data protection compliance obligations.

The companion to this guide, What does Ofcom regulate?, covers the UK communications regulator. A guide to UK payments regulation (covering the FCA and PSR) will follow.

Key sources

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Data (Use and Access) Act 2025
• ICO: Role and power of the Commissioner
• ICO25 regulatory strategy
• Privacy and Electronic Communications Regulations 2003
• DUAA Takes Effect: New ICO Powers Meet a Tougher Enforcement Stance (Bratby Law)

Get in touch

For advice on ICO compliance, data protection governance or managing the transition to the DUAA requirements, contact Rob Bratby at Bratby Law. Subscribe to our regulatory updates for further analysis.