ICO measures to drive economic growth

On 17 March 2025, the ICO unveiled a package of measures to support the government's growth agenda. The measures were announced as the government published a "New approach to ensure regulators and regulation support growth".

What's wrong with the UK's regulatory landscape?

The government finds that the UK's regulatory landscape is not functioning as effectively as it should, often holding back growth and inhibiting innovation.

In particular:

• regulation can be too complex and duplicative

• the regulatory landscape is overly complex, with over 100 bodies involved in regulation

• businesses suffer from a lack of certainty and predictability from regulators and regulation

• the regulatory regime is too risk-averse.

The government proposes addressing these challenges by overhauling the regulatory system as it applies to all regulators (to the extent regulators in Scotland, Wales or Northern Ireland are under the policy remit of the UK government or UK Parliament) to ensure it:

• supports growth

• is targeted and proportionate

• is transparent and predictable

• adapts to keep pace with innovation.

There are three limbs to the action plan:

• tackle complexity and the burden of regulation
• reduce uncertainty across the regulatory system
• challenge and shift excessive risk aversion in the system.

The ICO's contribution

An annex to the action plan sets out actions committed to by some key regulators. The ICO made several commitments, also set out in its package of measures to support the government's growth agenda, published on 17 March 2025.

These include:

• a free data essentials training programme for SMEs intended to help save at least £9.1 million over three years by helping small businesses leverage personal data and strengthen customer trust.This will be launched in 2025

• a pilot experimentation regime to enable businesses to trial innovative data-driven solutions under oversight and have "comfort from enforcement of certain data protection requirements", starting with consent rules for privacy-preserving advertising models
• a statutory code of practice on AI and automated decision-making for private and public sector businesses developing or deploying AI, allowing them to proceed in a data privacy compliant manner and strengthening the UK as a global AI leader
• paving the way for privacy-friendly online advertising with a regulatory review. The ICO is currently reviewing PECR consent requirements to enable a shift towards privacy-preserving online advertising models. It will develop a position on processing activities critical for delivering and measuring privacy-preserving advertising. It will also assess their regulatory status under PECR where the PECR consent requirements could be relaxed. The ICO plans to publish a statement in the autumn identifying low-risk advertising activities it believes are unlikely to cause harm or trigger enforcement action. It will also consider safeguards to reduce risk. This work aims to provide clarity for businesses. It is intended to support the government in developing planned secondary legislation to amend PECR by creating an exemption for low-risk advertising purposes
• new guidance on international data transfers to make it easier for UK businesses to access new markets and partners.

In fact, many of the initiatives announced above are extensions of existing activities and priorities. The ICO set out its online tracking strategy for 2025 in January, as we discuss here, which set out proposed reforms to PECR consent among other issues. The ICO has also led the way on AI guidance and there were already plans for statutory guidance in this area. Additionally, it has been producing guidance and tools aimed at SMEs for some time. Similarly, the pilot experimental regime is an extension of the existing regulatory sandbox scheme and updated guidance on data transfers has been on the horizon for some time as a result of the incoming Data (Use and Access) Bill.  This means that the announcements made by the ICO are not so much new as re-framed for the growth agenda.

Don't forget the DRCF

In its announcement, the ICO focused on activities within its sole purview, but of course, the ICO also has a role to play as part of the Digital Regulatory Cooperation Forum, and its fellow DRCF regulators Ofcom, the FCA and the CMA all produced their own proposals to support the government's growth agenda. The ICO is collaborating with Ofcom on the Online Safety Act, particularly in relation to content moderation and data protection, and age assurance, producing guidance on the former in February 2024, and an updated Opinion on age assurance in January 2024 to take account of the OSA. Interestingly, however, the OSA did not feature in Ofcom's commitments to the government on growth.  Perhaps more synergy from a growth perspective will come from sharing experiences and best practice with the FCA on its own regulatory sandbox and, importantly, from the work all the DRCF regulators are doing on AI.

What's in a name?

Once the DUA Bill becomes law, the ICO will become the Information Commission with a board. The Information Commissioner's role will become that of the non-executive Chairman of the board. The IC will be equipped with an updated regulatory toolkit and enhanced enforcement powers, but we don't expect this to change priorities.    As the ICO pointed out in a blog, also published on 17 March, growth is one of its strategic priorities, and the ICO has a statutory duty to consider the economic impact of its actions on businesses.