Information Commissioner's Office
(ICO)
The Information Commissioner's Office is the UK's independent authority for upholding information rights and data privacy. It enforces the UK GDPR, the Data Protection Act 2018, and the Freedom of Information Act 2000. The ICO can issue reprimands, enforcement notices, and fines of up to £17.5 million or 4% of global annual turnover for serious data protection breaches.
The ICO is a non-departmental public body sponsored by the Department for Science, Innovation and Technology. Most organisations that process personal data must register with the ICO and pay an annual data protection fee (£40–£2,900 depending on size and turnover). The ICO investigates complaints from individuals about how their data has been handled and can take regulatory action, including issuing enforcement notices, civil monetary penalties (up to £17.5 million or 4% of global annual turnover for UK GDPR breaches), and prosecuting unlawful data processing. The ICO also has enforcement powers under the Freedom of Information Act and the Privacy and Electronic Communications Regulations (PECR), which govern direct marketing, cookies, and electronic communications. Organisations must report certain personal data breaches to the ICO within 72 hours of becoming aware of them.