Nearly four years after giving his first public speech as the U.K. Information Commissioner, John Edwards took the keynote stage at the IAPP U.K. Intensive 2026 to reflect on his term, underscore the agency's achievements in recent years and look ahead for what's to come. 

"Change has been the only constant during my tenure at the ICO," he said. "To adapt a quote from the ancient Greek philosopher Heraclitus, who famously said: 'No man ever steps in the same river twice.'" 

Since 2022, Edwards said the ICO adapted to "a near constant process of law reform, culminating in the Data (Use and Access) Act," which, ultimately, restructures the agency. Plus, externally, "there's been a continuous flow of innovation, countless areas where the ICO has needed to step up, move quickly and provide certainty," he said.

When Edwards first took the reins in 2022, for example, ChatGPT had not yet taken the world by storm, and earlier this year, the ICO pivoted in early February so it could investigate the Grok AI system "and its potential to produce harmful sexualized content using personal data." 

Drawing a parallel with the challenge many practitioners now face, Edwards said the ICO has had to make choices and prioritize its efforts in this dynamic time. "I know you can relate to that challenge," he told attendees. "DPOs are in the same boat. You are expected to do more with less, to adapt and change, upskill and stay informed, often within a fixed or shrinking budget."

Enforcement retrospective

The ICO's priorities under Edwards have focused on areas "where we believe we could make the most meaningful difference" — that being in AI and biometrics, children's privacy, cookies and online tracking.

Following upon the work of former Information Commissioner Elizabeth Denham, whose tenure included the launch of the ICO's Children's Code, Edwards said the agency has "now improved online privacy for up to 11 million children, translating the code from policy into real meaningful change for the public." 

It took action against TikTok in 2023, fining it more that 12 million GBP for misusing children's personal data. "That work fed directly into our recommender systems investigations, which echo timely concerns we're now seeing in research and litigation in California about social media addiction," Edwards said.  

Just this week, the ICO fined Reddit more than 14 million GBP after its investigation found the company "failed to apply any robust age assurance mechanism" and "failed to carry out a data protection impact assessment to assess and mitigate risks to children before January 2025." The Reddit action came just weeks after another undertaking was announced against Imgur's parent company over children's privacy violations.

With biometrics, the first enforcement action under Edwards was against Clearview AI, which has been in litigation since. "Now we're waiting on a Court of Appeal hearing," Edwards said on the status of the Clearview action, "and frankly, there is little chance that it will be resolved before my time here concludes."

Litigation aside, he said this was "an important case for us to pursue" because of the "impact on people's rights and the wider implications for issues of jurisdiction over foreign companies processing UK citizens' data." 

The protracted litigation, however, is "resource-intensive and slow," said Edwards. "It often doesn't give industry, or the public, the answers they need, when they need them."

Compliance support

When Edwards first took office, he announced a listening tour right as the U.K. was considering reform of its data protection law, which has since been updated under the DUAA. Legal certainty was top of mind at the time, and, for Edwards, continues today.

He described some of the directions in which the ICO is regularly pulled, from a rise in public data protection complaints — which has risen from more than 40,000 in 2024-25 to 66,000 in 2025-26 — to demands for investigating every data breach report and "pursue every organisation with the full suite of enforcement tools at our disposal."

The ICO has also faced calls to provide more guidance to undergird legal certainty for business, while others, in "a recent Select Committee hearing" have suggested that "we should be auditing all government use of third-party IT applications, and all cloud storage contracts." 

Though Edwards provided assurance to attendees that these multi-directional calls are valid, the agency has had to allocate resources and prioritize its efforts to make the most effective impact across the board. "This means using all the regulatory tools available to us to drive change — producing guidance and advice, engaging upstream with companies and leading criminal prosecutions." 

Edwards suggested that, regardless of the industry, an organization's "focus should be on the things that align with your purpose and matter the most to the people you serve, not what is shouting the loudest." 

He offered that companies should think about what would make the largest difference to customers and stakeholders if things go to plan, and what would be the "greatest harm if left unaddressed." 

The ICO has asked itself similar questions, he said, and that guides its priorities.

"Just like at that first IAPP London in 2022," he said, "I want to leave you with a message of reassurance and certainty. As the regulator, we're here to help you navigate change. That's why we’ve worked hard to get the most important DUAA guidance out as quickly as possible. And we're expanding our Data Essentials training to help small and medium businesses feel more confident using people's data responsibly in an evolving world." 

Jedidiah Bracy is the editorial director for the IAPP.