It's a wrap! Highlights from the ICO DPPC 2025

The ICO held its annual Data Protection Practitioners' Conference (DPPC) on 14 October. With a packed agenda, eminent speakers and over 7,000 data protection professionals in attendance, it was one of the highlights of the privacy lawyer's year. Here we set out the key messages we took away from the conference.

Agility and certainty

It was no surprise that the impact of AI was high in the agenda with John Edwards, in his keynote, calling the current pace of technological development unprecedented and that we must all adapt to change with agility. To assist businesses to do so, Edwards confirmed that the ICO is working hard to produce clear and useful guidance upfront. Focus will be on guidance for international transfers and automated decision-making, with complaints and recognised legitimate interests following thereafter. In addition to guidance, the ICO will be using all the regulatory tools available to them (eg audits, fines, reprimands and criminal prosecutions) to enforce the law.

Similarly, Edwards affirmed that the ICO will remain agile itself and pivot between trends that require scrutiny. The changes to the governance structure set in place by the Data (Use and Access) Act 2025 are expected to have little outward impact. In addition, the ICO is actively looking at using AI and automation to support its own processes.

The other keynote speaker, Ivana Bartoletti (Vice President and Chief AI Governance and Privacy Officer at Wipro) put forward that privacy professionals must be courageous and level-headed, standing between the business teams' extensive expectations of AI and the real risks it presents. She emphasised the importance of building a shared vocabulary of key privacy principles across multiple areas of a business (eg HR, IT etc) and having a global attitude towards governance.

Focus on cybersecurity

In the wake of multiple high-profile cyber breaches, there was a clear focus throughout the day on cyber security and organisations' response to breaches. Edwards reiterated that DPOs should be working closely with IT security teams to implement fundamental protections (technical and organisational) to reduce this risk. In particular, social engineering was highlighted, with a panel devoted to exploring the rise of social engineering and practical steps to prevent it. These included implementing deepfake detection systems and training, not assigning blame to encourage early detection, and working to safeguard the individual rather than just systems and processes.

People-first approach

A key theme running through the various speeches and sessions was the prioritisation of people and the impact of data protection on individuals' lives. Edwards called on organisations to keep people at the heart of change and development. For example, responding to data breaches with empathy and avoiding nuisance calls, especially to vulnerable people. One of the seminars later in the day carried on this theme with a presentation on the real stories behind complaints and how organisations can reduce bureaucratic process and improve the culture of complaints.

Our thoughts

The impression of the ICO we took away is very much of a nimble and progressive regulator who is keen to engage with companies but who will not hesitate to use the tools available to it to secure outcomes. The ICO is pro-innovation and pro-business, but does not want organisations to forget that they deal with real people who can suffer harm if privacy is not protected. This message is not new but has certainly been prioritised in the context of the rise of AI and cyber threats that can have damaging consequences for individuals if the right guardrails are not implemented. Privacy professionals have an increasingly important role in holding their teams to account and protecting public trust in their business.