A forthcoming update to the UK General Data Protection Regulation is set to overhaul the governance of the Information Commissioner's Office, moving it from a single-leader corporation sole model to a board-run government agency. According to the International Association of Privacy Professionals’ (IAPP) Intensive London event, the change aims to match the ICO’s growing scope and workload while bringing more diverse expertise to data protection.
Paul Arnold, who has been at the ICO for 28 years, was named the first CEO of the new structure in summer 2025, and John Edwards announced that the shift will be fully implemented within the next few weeks, with the Data (Use and Access) Act 2025 baking in the reforms. The new board will collectively own the ICO strategy, with appointments to be staggered and the chair and non-executive directors to be chosen by the UK government.
Commissioner Edwards’s term ends in 2026, and the changes are described as delivering vital continuity and preserving agility in decision making. The reforms also introduce broader regulatory powers and expanded duties under the DUAA, affecting areas from investigations to data transfers and potential coverage of managed service providers.