ICO publishes update to government on economic growth commitments

A little over a year on from their initial letter to the Prime Minister, Chancellor and Business Secretary on how they are working to promote economic growth, the ICO have issued an update. 2026 will be a pivotal year for the regulator as they look to complete their restructuring to become the Information Commission. This will include the publication of the next multi-year corporate strategy and the appointment of a new Board.

As the ICO look to develop their next multi-year corporate strategy this year, the publication also outlines some additional milestones for the year ahead:

techUK Response

techUK welcomes the ICO’s ongoing work to promote the Government’s growth agenda and eagerly awaits further information of their AI code of practice, review of PECR consent requirements, and efforts to improve their regulatory sandbox. Our members work across the sectors the ICO seek to regulate; techUK is therefore well equipped to facilitate direct industry engagement for the ICO to test proposals and to collate industry feedback and inputs.

techUK would like greater clarity on how the estimate that the ICO generated £233m of economic value for UK businesses over the past five years was reached. As the ICO point out, the UK’s data economy represents 7.4% of GDP, and as a result we would expect the figure to be significantly higher.

We encourage the ICO to continue engaging with techUK and our members throughout their policymaking journey, as regular meaningful industry engagement is the best mechanism to ensure their regulatory proposals are truly supporting growth.

Summary: ICO Updated Guidance on International Transfers

As aforementioned, the ICO have also published their finalised guidance on international transfers, which outlines how Data Protection Offices (DPOs) can transfer personal information abroad. The guidance is timely as the “not materially lower” standard introduced under the Data (Use and Access) Act (DUAA), has now (much of the data protection amendments under the DUAA came into force on 5th February 2026) replaced the EU’s “essentially equivalent” standard to bring more flexibility to UK international data sharing.

Key Takeaways:

For restricted transfers, these must be covered by either UK adequacy regulations, appropriate safeguards, or an exception:

At present, all countries in the European Economic Area (EEA) have full adequacy, as well as Andorra, Argentina, Faroe Islands, Gibraltar, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay, and the Republic of Korea. The United States only has partial adequacy, which covered information transferred under the UK extension to the EU-US Data Privacy Framework.

If an organisation decides to use an appropriate safeguard, they must first fill out a Transfer Risk Assessment (TRA). The ICO have developed a template document, known as their TRA Tool, to guide this process for businesses.

For sight of techUK’s response to the ICO’s consultation on the draft guidance or to raise any questions about this work, please contact Dani ([email protected]).

techUK's Policy and Public Affairs Programme activities

techUK helps our members understand, engage and influence the development of digital and tech policy in the UK and beyond. We support our members to understand some of the most complex and thorny policy questions that confront our sector. Visit the programme page here.