Objective 2: Empower responsible innovation and sustainable economic growth
Driving economic growth by supporting organisations in the UK while protecting people’s privacy rights remains an important focus. This was further bolstered with the duties on competition and innovation brought by the DUAA. We enable economic growth by:
- giving businesses regulatory certainty;
- reducing friction by removing unnecessary regulatory burdens; and
- building public trust in the responsible use of data.
Our 2025 Enabling Businesses report showed that our support is helping organisations unlock cost savings and growth opportunities worth up to approximately £233 million over a five-year period. This is an average of around £47 million per year.
Reducing uncertainty across our regulatory systems
One key way we support growth is through our advisory services, including:
- guidance and tools that support aspects such as innovation and cybersecurity; and
- bespoke services such as our:
We published data protection and freedom of information (FOI) training materials originally created for our own colleagues. We also shaped conversations on emerging technologies by publishing our annual Tech Horizons report, which included sections on immersive tech and quantum computing.
Our efforts here are having an impact. Research in July 2025 found that:
- 34% of organisations that were aware of us agreed our work reduces compliance costs; and
- 74% agreed that our resources provide clarity about what the law requires.
Tackling the complexity and burden of regulation
We’ve worked to reduce complexity in several areas to support our duty to promote economic growth.
We have given businesses regulatory certainty on AI. We worked closely with government on the scope and timelines for a statutory code of practice on AI and automated decision-making (ADM). This will make the UK the destination of choice for AI developers looking to invest and innovate responsibly. There’s more detail on our AI work below.
To support cutting costs for small and medium-sized enterprises (SMEs) we launched practical tools including:
- a direct marketing advice generator; and
- an award-winning privacy notice generator that organisations have used more than 8,000 times.
And in March 2026 we began to pilot our new Data Essentials platform for SMEs. This gives organisations the clarity and confidence to use personal information responsibly, helping to:
- unlock innovation;
- reduce compliance costs; and
- drive economic growth.
Enabling more innovation through our Regulatory Sandbox and Innovation services: we celebrated the fifth anniversary of our Sandbox, which has helped more than 25 organisations of varying sizes work through data protection challenges to bring innovative products and services to market to the benefit of the whole economy. This year, we secured funding from the Regulatory Innovation Office to explore improvements to our sandbox and options for legislative change to allow real-world testing of emerging technologies. This work contributes to our secondary duty to support innovation.
We made it quicker and easier to transfer data internationally: we published new guidance on international data transfers in January 2026. These transfers underpin 40% of UK exports and are fundamental to frictionless trade across borders. Our updated guidance and interactive tool clearly:
- set out key requirements;
- reduce complexity;
- and support the responsible transfer of personal information through a more proportionate and risk-based regime.
In March 2026, more than 1,000 organisations watched our webinar explaining our guidance.
We ensured regulatory action is proportionate. Before we act, we carry out an impact assessment to assess whether our planned approach is proportionate to the objectives and not unduly burdensome on those we regulate. In 2025/26, we published a range of impact assessments for areas including the Internet of Things and our data protection complaint handling approach.
We’ve provided further information on our progress to support sustainable economic growth in our update to government in January 2026.
Supporting AI innovation
In June 2025, we published Preventing harm, promoting trust: our AI and biometrics strategy. Our objective is to empower organisations to use these complex and evolving technologies in line with data protection law. This protects people, increasing their trust and confidence in how organisations are using these technologies.
As part of that strategy, we published:
- a report on the fair and responsible use of automation in recruitment; and
- draft guidance that sets out our expectations for organisations around automated decisions.
We also wrote to 16 organisations likely to use ADM to make decisions about jobseekers. These organisations have now committed to acting on our recommendations to improve practices. This is an important area: insight from our recent focus groups suggested jobseekers don’t always know how AI and automation are being used. As more employers turn to technology, we want to make sure proper safeguards are in place to protect people.
We also published a report on how the rise of agentic AI could transform the way we live our lives. With personal shopping ‘AI-gents’ potentially arriving within the next five years, the report focused on how strong data protection foundations can help:
- build public trust; and
- scale the fast and safe adoption of new technology.
In February 2026, we opened formal investigations into X Internet Unlimited Company and X.AI LLC covering their processing of personal information in relation to the Grok system and the system’s potential to produce harmful sexualised image and video content.
Our concerns relate to whether Grok has been processing personal information lawfully, fairly and transparently. Our concerns also included whether Grol’s design and deployment have appropriate built-in safeguards to prevent the generation of harmful manipulated images using personal information. Where those safeguards fail, people lose control of their personal information in ways that expose them to serious harm. Examining these risks is central to our role in:
- protecting people’s rights; and
- holding organisations to account as they design and deploy AI technology.
That investigation continues into 2026.
We’ve also focused on seeking assurances that police use of facial recognition technology (FRT) respects people’s rights, in line with our secondary duty in this area. We conducted a series of audits of police forces that have been early adopters of FRT, publishing our reports on South Wales and Gwent Police in August 2025 and Essex Police and Leicestershire Police in March 2026. Our findings were encouraging, with processes in place to enable the forces to identify risks around lawfulness, fairness and accountability.
In May 2025, we published new research on public attitudes towards biometric technologies, with a particular focus on FRT and its use by police. We found that most people are comfortable with familiar technologies being used to verify their identity, particularly those used:
- on personal devices; or
- for security purposes.
A majority (63%) also reported feeling comfortable with police use of FRT.
However, this acceptance is conditional. For regulation, ensuring the accuracy of the technology emerged as the clear public priority (53%). Over half (54%) of people surveyed shared concerns that the police’s use of FRT could infringe on their right to privacy. Concerns about data storage and retention were common, with many people wanting clear rules on:
- how long images are kept; and
- who can access them.
These findings are informing our ongoing policy development work to ensure that organisations collect and use biometric data in ways that:
- maintain public trust; and
- meet data protection requirements.
Coordinated digital regulation: working together to support innovation
Effective regulation is an important piece of the growth jigsaw, particularly in the technology space where we are witnessing significant change in:
- AI;
- quantum computing; and
- smart data.
Businesses need a clear and proportionate regulatory environment to feel assured about investing and innovating. And consumers need to feel comfortable about trying new technologies.
To help businesses navigate the digital regulatory landscape more easily, we continue to work with our partners in the DRCF, the CMA, the FCA and Ofcom.
The DRCF’s shared vision is to protect people online while supporting UK innovation and growth.
The AI and Digital Hub pilot provided a one-stop source of advice covering four regulatory remits, saving innovators time and boosting their confidence in developing products. The DRCF has published anonymised summaries of this advice to help a greater number of innovators. They are now building on what they’ve learned to develop the next phase of cross-regulatory innovation services: the DRCF’s thematic innovation hub.
The DRCF's horizon scanning work anticipates technology developments and trends. To highlight early regulatory considerations, they work with experts in:
- industry;
- civil society; and
- regulation.
This year’s focus is on agentic AI systems, cybersecurity, and smart data.
We also work closely with the FCA on innovation services in the fintech space, making it easier for firms to understand data protection requirements while developing new services. And we have continued to work closely with the CMA, particularly in their investigations under their digital markets competition regime.