ICO Sets Out AI Agenda as UK Pushes for Growth Without Sacrificing Trust

Key Takeaways

• AI Code of Practice Planned: The ICO will develop a statutory AI and automated decision-making code of practice to provide greater regulatory clarity for organizations developing and deploying AI systems.
• Agentic AI Guidance Coming: The regulator plans to publish dedicated guidance on how agentic AI systems can comply with UK GDPR requirements.
• Consumer Transparency Focus: New initiatives will include public-facing guidance on AI data use and engagement with technology companies around increasingly personalized AI services.
• Procurement Due Diligence Support: The ICO will publish transparency resources to help organizations assess privacy risks when purchasing off-the-shelf AI products and cloud-based services.
• Balancing Growth and Trust: The regulator says its approach will focus on reducing compliance friction while strengthening public confidence in how personal data is used by AI systems.

Deep Dive

The UK’s privacy regulator has laid out an ambitious program of AI-related guidance, oversight, and public engagement as it seeks to support the government’s push for AI-driven economic growth while maintaining confidence in how personal data is used.

In a response, the Information Commissioner's Office (ICO) detailed how it plans to build on its existing AI and biometrics strategy after being asked earlier this year by the Technology Secretary and Business Secretary to produce a plan for enabling safe AI-powered innovation.

The response offers one of the clearest indications yet of how the regulator intends to position itself as the UK's primary authority on the intersection of artificial intelligence and data protection. Rather than proposing new regulatory restrictions, the ICO is emphasizing clarity, transparency, and practical guidance aimed at both organizations deploying AI and the consumers increasingly affected by it.

The regulator said its work over the coming year will be guided by two broad objectives. The first is ensuring that individuals understand how AI systems process their personal data and retain meaningful choice and control over that information. The second is providing organizations with a clearer understanding of what UK data protection law requires when deploying AI systems, including emerging forms of agentic AI.

Those priorities arrive as businesses continue to grapple with uncertainty around how existing privacy laws apply to rapidly evolving AI technologies. While the UK government has repeatedly emphasized innovation and economic growth in its approach to AI policy, organizations have continued to seek greater certainty around compliance expectations.

The ICO's answer is a growing body of guidance intended to make those expectations more explicit. Among the most significant initiatives is the planned development of an AI and automated decision-making statutory code of practice. The regulator said the code will provide organizations with greater clarity when developing and deploying AI systems and tools.

The ICO also confirmed that it will publish dedicated guidance on agentic AI systems and how they can comply with UK GDPR requirements. Agentic AI has become a growing area of interest across both industry and government as organizations explore systems capable of taking actions, making decisions, and interacting with other systems with increasing levels of autonomy.

Beyond guidance aimed at organizations, the regulator is placing notable emphasis on public understanding of AI.

The ICO said it intends to engage with consumers about concerns surrounding increasingly personalized AI services and work with major technology companies to ensure products are designed in a transparent and privacy-focused manner. It also plans to produce a public-facing guide, described as a "green cross code-style" resource, intended to help individuals make informed decisions about how their personal data is used by online AI tools and services.

The regulator is also targeting a challenge that has become increasingly common as AI adoption expands across the public and private sectors: procurement. Many organizations now rely on third-party AI products rather than building systems internally. To address that reality, the ICO plans to publish a transparency resource aimed particularly at small and medium-sized businesses and public bodies.

The resource will help organizations conduct appropriate data protection due diligence when purchasing cloud-based AI services and off-the-shelf AI tools. The announcement also includes changes to the ICO's own innovation support programs. The regulator said it will streamline and rebrand its Innovation and Sandbox services to make them easier for organizations developing and deploying AI technologies to access.

While much of the response focuses on external oversight, the ICO also highlighted its own adoption of AI technology. The regulator said all staff now have access to Microsoft's Copilot platform and noted that it has published its internal AI Use Policy as part of its effort to demonstrate responsible and transparent deployment of the technology.

The regulator said its approach to supporting economic growth is built around three principles: maximizing clarity, reducing friction, and building public trust in the responsible use of data. Those themes have increasingly defined the ICO's public positioning as it attempts to balance the government's growth agenda with its statutory responsibility to protect personal information.

Additional details on the regulator's AI priorities and planned initiatives are expected when the ICO publishes its full AI work-plan for 2026/27 in the coming months.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.