The DMA Awards are now open for entries. Early bird ends 25 July. Enter now to claim your spotlight.
ICO Shake-up: New Leadership and Direction
04 Jul 2025
Members will no doubt have been reflecting upon the changes propagated by the Data (Use and Access) Act, and how their business will evolve with the new rules and regulations.
Moreover, they will be wondering how the new rules will be enforced, especially as the DUA Act demands change not only for the regulated, but the regulator.
Indeed, an ‘Information Commission’ has been established as the successor body to the ICO. It changes its governance and structures to better resemble other UK regulators.
This week, Paul Arnold MBE has been appointed as its first Chief Executive Officer. The appointment follows a recruitment process concluded in May, ahead of the Act receiving Royal Assent on 19 June. Arnold’s term will run for a maximum of two years, until a permanent CEO can be selected by the new board once it is constituted.
Arnold, a long-serving senior executive at the ICO, steps into the role with 25 years’ regulatory experience across data protection and freedom of information, the past 15 spent at the ICO. Most recently, he served as Deputy Chief Executive and Chief Operating Officer, overseeing major organisational reform. He is known for championing proportional regulation, practical engagement with industry and a model of data protection that enables responsible innovation.
In a statement on his appointment, Arnold said:
“I am extremely proud to be appointed as the first Chief Executive for the new Information Commission and have every confidence that we will make a successful transition to our new governance structure. I’m also excited to develop and lead the organisation to deliver the first strategy for the Information Commission.
I believe we have a fantastic opportunity to demonstrate how effectively protecting and safeguarding people also enables responsible businesses and organisations to innovate and grow.”
The government’s emphasis on creating conditions for innovation, growth within a wider context of maintaining and building consumer trust will be music to many industry ears, some of whom worry a ‘new’ regulator’s first move would be to bare its teeth.
However, Arnold’s appointment indicates the relationship sought between regulator and industry is a fair but felicitous one.
Structural overhaul under the Act
The Data (Use and Access) Act 2025 introduces a new statutory governance model for the UK’s data protection regulator. The existing ICO will be replaced by the Information Commission, governed by a Board made up of:
The Chair: John Edwards, continuing in his role as Information Commissioner
Chief Executive Officer: Paul Arnold (interim)
Seven Non-Executive Directors (NEDs): appointments currently being sought via a public process run by the Department for Science, Innovation and Technology
This aligns the regulator’s leadership structure with that of other UK economic regulators. According to the ICO, the change is intended to enhance institutional resilience and introduce broader strategic oversight through a more diverse board.
The new Board will be responsible for setting the strategic direction of the regulator, ensuring that it meets both its statutory obligations and the broader policy objectives of the data reform agenda. The appointment of the seven NEDs is expected to bring greater industry, consumer and technical expertise into that decision-making process.
Statutory balance: privacy, innovation, growth
One of the most important shifts under the 2025 Act is the legal requirement for the Information Commission to consider how its regulatory activities affect innovation, competition and growth, in addition to its responsibilities around privacy and data rights. This move rebalances the regulator’s statutory remit and signals a deliberate policy shift by government.
The intention is to enable organisations to use data with greater clarity and confidence, while retaining trust in the system as a whole. Arnold’s comment reflects this new balance—positioning the Commission not only as an enforcer of compliance but also as a facilitator of responsible data use.
This balance will be critical for the marketing, advertising and data-driven sectors. Greater recognition of the economic and societal value of data, when handled responsibly, is welcome. But how this balance is interpreted in guidance, enforcement decisions and industry engagement remains to be seen.
Expert input and co-regulation
Alongside board-level reform, the Act also encourages the creation of expert panels to support the Commission’s policy and technical work. These panels are expected to inform the development of Codes of Practice and shape regulatory expectations in fast-moving or high-risk areas.
The Act also strengthens the framework for Codes of Conduct, allowing sectors to propose their own voluntary codes and seek formal approval. The Commission is required to support these efforts and to take such codes into account when carrying out its functions.
For industry, this presents a clear opportunity. Properly developed, Codes of Conduct can reduce uncertainty, lower compliance costs and provide sector-specific clarity. The DMA sees this model as a pragmatic route to embed accountability and improve standards without introducing excessive complexity.
From theory to practice
The new structure, remit and leadership model form a strong foundation for regulatory reform. However, the central question remains: will these changes produce a different regulatory culture?
The challenge is to move from policy intent to consistent delivery. If the Information Commission is to deliver on its dual responsibilities—to protect rights and promote growth—it must engage meaningfully with those who use data rather than interpreting prima facie from on high.
That will require clearer guidance, proportionate enforcement, and a sustained commitment to collaboration. Arnold’s appointment may bring continuity, but his remit includes developing the Commission’s first long-term strategy. That strategy will define how the regulator’s expanded remit is interpreted in practice.
DMA director of policy, Chris Combemale, said:
“I offer my congratulations to Paul Arnold and wish him well in his new post which, as the UK moves forward into a new phase of data protection law, is a pivotal one.
“The DMA supports the reforms set out in the Data (Use and Access) Act 2025. The creation of a board structure and the appointment of a Chief Executive provide the organisational capacity required to deliver a more forward-looking, responsive regulator.
“We welcome the emphasis on balancing privacy with innovation and competition. We believe responsible data use, when supported by clear rules and proportionate oversight, can drive significant economic and public value.
“The DMA will continue to work closely with the ICO and its successor. Our members expect a regulator that is firm, fair and informed. All signs suggest the new ICO has this potential, and attention now must turn to making sure it is delivered.”
Please login to comment.
Comments