The Information Commissioner's Office has published its annual report for 2025-26, revealing a regulator that is struggling to keep pace with the volume and complexity of the cases it is required to handle, even as its responsibilities continue to expand.

The report shows that the ICO received 38,000 data protection complaints during the year, an increase of 14 percent on the previous year, and that the average time to resolve a complaint has increased from four months to six months. The backlog of unresolved cases now stands at approximately 8,000, a figure that the ICO acknowledges is "unsustainable" and that it has committed to reducing through increased efficiency and additional resources.

The ICO's workload has been transformed by the expansion of its regulatory responsibilities. In addition to its traditional role of enforcing data protection law, the ICO now has significant responsibilities under the Online Safety Act, the AI Regulation Act and the Digital Markets Act. Each of these responsibilities requires specialist expertise that the ICO has had to recruit and develop while managing its existing caseload.

The report also reveals that the ICO issued fines totalling £64 million during the year, the highest annual total in the regulator's history. The largest individual fine, of £18 million, was imposed on a social media company for failures in its handling of children's data. The ICO said the level of fines reflected the seriousness of the breaches it was encountering and its determination to use its enforcement powers to change behaviour.

The Information Commissioner, in his foreword to the report, described the past year as "the most challenging in the ICO's history" and said the regulator needed to be "fundamentally reformed" if it was to meet the demands of the digital economy. The government has indicated that it will review the ICO's resources and powers as part of its broader programme of regulatory reform.

Sources

  1. GOV.UK Publications