The ICO exists to empower you through information.

Strategic capability

Five areas of strategic capability were identified for investment to achieve the data vision and goals:

  • Data operating and delivery model

Executing the ICO data strategy, and defining and delivering the operating model for data.

  • Data Governance and Data Quality

Designing and implementing a framework for data governance and data quality standards and processes.

  • Data Culture and Literacy

Driving role modelling, awareness, education and training to build a data-driven culture at the ICO.

  • Data Skills and Professionals

Developing data professional capability and skills to embed data resources across the ICO.

  • Data, Analytics and Machine Learning (ML) Technology Platform

Development of a data and analytics platform to enable data management, analysis and insights and integrate these into business processes.

Each of these foundation pillars will have a set of detailed objectives, initiatives, resourcing and activities documented in a joined-up delivery plan.

Lighthouse projects

In conjunction with building out our foundations, the ICO is working to select and pilot a small number of lighthouse projects. These projects identify a “narrow slice” of a strategic use case that will engage and excite the organisation, add value quickly, build momentum and de-risk the change. Lighthouse projects will be prioritised by:

  • What is the overall impact on the ICO?
  • Is this in alignment to ICO25 and other strategic objectives?
  • What is the level of complexity and effort to deliver the solution?
  • Are they any key dependencies impacting delivery?

Lighthouse projects will follow a “learn fast” approach to delivery, moving rapidly through discovery, proof of concept, minimum viable product (MVP), full solution, support, evolve, recycle or retire phases. Over 70 initial use cases were identified, reviewed and prioritised. Five projects were shortlisted for further exploration with a subset of these targeted for delivery in Year One (Y1).

The nature of such an approach requires a high degree of agility and flexibility in selecting, iterating and potentially pivoting based on testing and feedback. Accordingly, the roadmap of projects is and should remain dynamic. Examples of our current shortlisted selection of lighthouse projects are:

  • Organisation 360 degree view

Establishing a comprehensive view of organisations, drawing on data from multiple systems and sources, for improved productivity and decision making. More on this is available in case study three:

Organisation 360 degree view

We want to harness the power of data to deliver our mission – ‘to empower people through information’. An integrated view of the organisations we regulate will establish a single source of truth and pave the way for evidence-based decision-making.

Data serves as a key enabler in achieving this goal, where data elements that could be useful for providing a 360 view of an organisation reside in different systems. By bringing together, or integrating, this data into a single platform, and making it available to those who need it in a secure way, we can begin to realise the opportunities offered by a single view. We envisage this will support those individuals working within our casework, audit, registrations and regulatory environment teams particularly. It will help them leverage this information to support data-led decision making, which in turn enables swift response to emerging threats.

Additionally, we will explore how we can augment the data platform, and our organisation 360 view, by including new external datasets that may have value. This includes establishing new partnerships and data-sharing agreements with organisations across the regulatory landscape.

  • Data literacy campaign

Uplifting literacy in a targeted team via training and coaching to illustrate and learn how data literacy can directly impact performance, quality and drive better outcomes.

  • Data protection registrations insights

Developing a richer view of organisations who are and should be registered with the ICO to grow the number of organisations registering, increase compliance and maximise income to support the ICO’s activities. 

  • Risk & harm prediction model

Creating a model using proprietary, shared and publicly-available  structured and unstructured data that predicts risks and harms within the domains we regulate. This will provide an early warning system and tools for better prioritisation of resources.  

  • Data quality focus 

Tackling a specific area where increased data quality practices can optimise our operations or increase our effectiveness. 

Delivery approach

Organisations often face challenges when selecting their delivery approach, particularly in balancing the need to show value alongside building solid foundations.

“The Big Delivery” focuses on fixing the foundations first, with a linear – and slow – approach to unlocking business value. While this can achieve solid foundations, such approaches can be criticised for failing to deliver value quickly enough to sustain organisational attention, and may never move into the stage of delivering real business transformation.

“Demise by Proof of Concept” prioritises value but at the expense of a sustainable approach to building capabilities. Individual projects can fail to coalesce around important, cross-organisational topics, such as culture, skills, technology choice or data models. This “bakes in” inefficiency, and individual initiatives can wither over time.

The ICO is electing to take a balanced approach. A small number of lighthouse projects will deliver early value and create delivery confidence, but in a way that seeks to define and deliver strong strategic foundations in parallel.


Our delivery roadmap breaks down into three phases. This list is not exhaustive but shows the key areas of activities for delivery in Y1 and priorities for Y2 and Y3. This will be updated following consultation to incorporate the needs and suggestions of our customers as appropriate.

Year 1: Financial Year 24/25

Goal: Take responsibility for data

  • Develop an operating model for data that sets out the people, process and technology we need to deliver our vision.
  • Expand our data team and ensure we have the people and skills to take forward implementation of our strategy.

Goal: Set our data direction

  • Implement and integrate clear, accessible data policies supported by a streamlined governance structure to protect the integrity of our data and ensure we are using data in a consistent way so we can foster improved data quality and consistency throughout the organisation.
  • Identify and train the resources required to improve data governance across the organisation. Those holding data governance roles ensure data is secured and protected during processing and analysis, and is used ethically.
  • Clear alignment between the ICO's strategic objectives and the role data plays in supporting the delivery of those objectives is explicitly articulated in organisational plans.
  • Work with and through our Data Analysis Network to showcase the value and potential uses of data to inspire and attract new and innovative uses of data across the organisation.

Goal: Having the right data skills and knowledge

  • Develop a data literacy programme within the ICO that provides colleagues with the right data skills and knowledge they need to extract value from the data they work with.
  • Revise our risk appetite to make it clear when data should be shared. Challenge and refresh practices that limit appropriate data sharing.
  • Deliver training to non-data Subject Matter Experts (SMEs) to ensure a basic level of expertise in data so they can interpret data visualisations and make use of analysis.
  • Establish a data professional pathway to ensure that current and future data experts understand the ICO’s commitment to investing in and nurturing careers in the data field.

Goal: Having the right systems

  • Define target state solution architecture and provide solution recommendations to establish a scalable and resilient data platform, that aligns with business operations and delivers standardised capability.
  • Demonstrate, through delivery of specific use cases, the benefit and value of establishing a 'single source of truth' for data and analytics that, through underpinning data management practices, provides decision makers with reliable, timely data in a secure way.

Goal: Engage others

  • Consult with our partners and customers to understand their data needs, how the ICO can make its data available to those that need it, and where we should focus our data sharing efforts.

Year 2: Financial Years 25/26 and 26/27

Priorities in this period will be:

  • Next priority governance initiatives
  • Extending data platform capabilities
  • Delivering more cross-functional, cross community strategic use cases
  • Delivering focused trials of AI/ML use cases
  • Positioning data professionals across ICO
  • Tracking data objectives and goals

The key outcome expected in this period will be the delivery of increased tangible value from data, driving self-service, community engagement and more predictive insights for data-driven regulatory intervention.

Years 3+: Financial Year 27/28 and beyond

Priorities in this period will be:

  • Increased automated compliance regulation
  • Scale AI/ML capability across the ICO, with capability more widely adopted
  • Sustained enterprise data governance, data quality and technology capabilities
  • Comprehensive learning opportunities available for data skills and literacy

The key outcome expected in this period will be that ICO is a perceived leader in use of data as a regulator, with data assets consolidated in a single platform for insights, innovation, public sharing and automated regulation. An early example of this is outlined in case study four:

Supervisory technologies

Cookie banners play a crucial role in safeguarding individuals' rights and fostering trust in the digital marketplace. However, challenges arise as many banners breach data protection laws, creating friction in user experience and eroding trust.

Many cookie banners make it difficult for users to decline optional cookies compared to accepting them, or deploy cookies before a user has agreed to their use. This not only undermines individuals' data subject rights, and penalises organisations who are acting in a legal and ethical way, but reduces trust in the wider digital marketplace. The ICO's current case-by-case enforcement approach has limitations, proving ineffective at scale. The ICO is experimenting to develop an AI-driven solution that is capable of swiftly assessing cookie banners on websites. The goal is to efficiently identify and highlight instances of non-compliance with data protection laws.

This will enable proactive engagement with identified organisations to support the journey to compliance, and in certain situations, consider more formal enforcement actions in situations where compliance is not achieved, ensuring a balanced approach, based on the severity of breaches and the organisation's willingness to rectify issues.

The ICO's innovative approach to utilising AI for cookie banner assessment is an example of how regulators can innovate responsibly. By addressing challenges proactively, the ICO aims to safeguard individuals' rights, empower organisations to adhere to legal standards, and ultimately contribute to a more trustworthy digital marketplace.