Understand consent and preferences with Gartner’s expert market guide
Download now
Back to main menu

Key lessons from the ICO’s 2025 data controller report

An opportunity to raise awareness

Posted: August 8, 2025

The Information Commissioner’s Office (ICO) has published its Data Controller Report 2025 revealing UK organizations’ attitudes, awareness, and challenges when it comes to data protection.

The report suggests that there are significant gaps in understanding and considerable wariness around using new technology but also reveals opportunities for the sector to help businesses embrace data protection to drive trust and efficiency.

  1. The vast majority of data controllers are smaller businesses
  2. Not enough businesses understand their obligations
  3. Organizations are unfamiliar with privacy-enhancing technology

 

1. The vast majority of data controllers are smaller businesses

The ICO’s report includes a finding that should not be surprising (when you think about it): The vast majority of data controllers are very small businesses.

Of the organizations surveyed by the ICO:

  • 72% were sole traders (organizations with zero to one employees)
  • 20% were micro organizations (with two to nine employees)
  • 6% were small organizations (with ten to 49 employees),
  • 1% were medium organizations (with 50 to 250 employees)
  • 0.3% were large organizations (with more than 250 employees)

This sample is intended to represent the UK’s business landscape, where around 99.2% of businesses employ fewer than 50 people.

This serves as a reminder that virtually every business is a data controller with obligations under data protection law, regardless of whether it employs people, engages in marketing, or processes large amounts of personal data.

 

2. Not enough businesses understand their obligations

Despite having legal obligations, the report found that many organizations were unaware of them.

  • 25% of businesses were unaware of their duty to register with the ICO (7% were aware but had not done so)
  • 36% were not aware of the ICO at all before the survey. Among those that were aware of the ICO, 47% had not used ICO guidance or services in the previous 12 months
  • 35% reported that a key data protection challenge was a “lack of expertise in understanding the legal requirements”.

On the other hand:

  • 78% of organizations (95% in the pubic sector) reported feeling “very” (18%) or “fairly” (60%) familiar with data protection law
  • 74% of organizations aware of the ICO agreed that its resources “provide clarity about what the law requires”.

The findings suggest that many businesses lack a clear understanding of their obligations and would benefit from external expertise.

 

3. Organizations are unfamiliar with privacy-enhancing technology

The ICO sought organizations’ views on key technologies related to the UK GDPR, such as anonymization, pseudonymization, artificial intelligence, automated decision-making, and biometric recognition.

The ICO concludes that “the understanding of these technologies is relatively low.”

“Often organizations reported the use of technologies in the survey, but upon further inspection, their use of the technology either did not align with our definitions or the organization did not use the technology for the purposes of processing personal data,” the report states.

  • 43% of organizations use cloud technology
  • 17% of organizations reported using no digital technology at all
  • Only 23% of organizations claimed to use encryption.

After cloud technology, specialized data protection compliance software was the second-most widely adopted technology, with 23% of organizations reporting that they used it.

 

Closing the awareness gap

A key theme throughout the ICO’s report is a lack of understanding about regulations and technology.

Despite 58% of businesses reporting that they provided online services, just 10% believed that they were collecting personal data via cookies or similar technologies. The relatively weak understanding of digital technologies might account for this low level of reported cookie use.

In addition to the general lack of awareness, the report suggests organizations have mixed feelings about data protection in general.

  • 38% of all respondents agreed that data protection laws have been an “enabler” that positively influenced their core activities
  • 74% of medium and large private sector organizations (50+ employees) agreed that the law had been an enabler
  • Somewhat paradoxically, 60% of organizations that felt constrained by data protection law also agreed that it was an enabler for their business.

The regulator and the sector as a whole can help improve data protection and drive business efficiency by

  • Raising awareness about data protection
  • Helping businesses leverage technology to achieve compliance
  • Supporting organizations to embrace data protection as a means to build trust and grow their business.

How to measure the ROI of privacy programs

Download guide
Data privacy metrics How to measure the ROI of privacy programs

You might also like to read:

problems with legacy consent

5 problems with legacy Consent Management Platforms

5 problems with legacy Consent Management Platforms

Read on for 5 problems you might not realize are having a negative impact on your business when it comes to consent management.

Read more
UK Data Protection regulator issues warning on AI: What does the ICO expect?

UK Data Protection regulator issues warning on AI: What does the ICO expect?

UK Data Protection regulator issues warning on AI: What does the ICO expect?

The UK's Information Commissioner's Office is preparing to take action against companies misusing AI. This article covers the ICO's position on AI.

Learn more