ICO Annual Report Provides Insight Into Data Protection Risks for Businesses

The UK Information Commissioner’s Office’s (the ICO’s) latest Annual Report summarises its accomplishments and priorities, including last year’s enforcement actions. Based on our review of the report, we see the ICO focusing, or continuing to focus, on the following issues:

• Children’s Privacy: Children’s online privacy is a central priority. The ICO has published updated guidance tailored to social media and video-sharing platforms targeting young users. The ICO is urging organisations to comply with the ICO’s Children’s Code, including conducting more robust Data Protection Impact Assessments (DPIAs), ensuring a high-privacy default setting for all child profiles and integrating age-appropriate safeguards. The ICO also reported proactive enforcement actions in this area, such as fines and reprimands where platforms failed to protect children’s data effectively, with several ongoing investigations.
• AI and Biometrics: The ICO launched a new AI governance strategy emphasizing high-risk deployments of the technology, especially those involving biometrics. This includes industry consultations, the Regulatory Sandbox and consensual audits of AI systems like biometric age-estimation and recruitment tools. Public consultations and guidance have also been published to ensure individuals are aware of their rights in relation to generative AI and other AI tools. The ICO has reiterated that it will issue clear guidance to ensure organisations in both public and private sectors fully understand what is expected of them to prevent harm and build public trust in the emerging technologies.
• Online Tracking: The ICO has also committed to stricter enforcement where “high‑risk” data processing goes unmitigated, including publishing an online tracking strategy for organisations using advertising technology, with new recommendations on cookie-based profiling, third-party trackers and enhanced DPIAs. The ICO has further expanded on the efforts reported last year to give people a choice over how they are tracked online by working to address and amend the policies governing the use of cookies by the UK’s top 1,000 websites. This has led to increased targeted investigations and formal notices to major tracking firms, with regulatory action taken against certain UK companies for their use of cookies. This highlights the pragmatic, risk-based approach being adopted by the ICO, who have warned stakeholders to prepare for enforcement action when compliance gaps are found, including issuing information notices, assessments and civil monetary penalties where necessary.

The ICO also summarised its enforcement action over the previous year, which has included:

• Receiving over 42,000 complaints.
• Notable enforcement action against public organisations, including the Police Service of Northern Ireland being awarded a penalty notice of £750,000 for a high-profile breach.

Looking forward, with the Data (Use and Access) Act 2025 having received royal assent on 19 June 2025, the ICO is currently preparing a range of guidance for organisations to be released later in the year on the amended practices and expectations of the uses and processing of different types of personal data. This new legislation will also see the ICO transition to the new “Information Commission” — while the function will remain the same, the structure of the organisation will shift to leadership by a board comprised of a chair, chief executive officer and nonexecutive directors to maintain independence and accountability.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises on compliance with data privacy requirements at the local, national and international levels. If you have questions concerning privacy compliance and emerging case law, please do not hesitate to contact a member of our team.