The UK’s top data regulator quit abruptly, triggering a rare shake-up just as new data laws kick in.

John Edwards resigned as Information Commissioner after a months-long workplace probe found he made inappropriate jokes that caused offence. The details remain undisclosed. This is the first resignation in the office’s 40-year history.

Despite stepping down, Edwards continues to draw his £200,000 salary while his deputy, Paul Arnold, runs the Information Commissioner’s Office (ICO). Edwards is currently in New Zealand, leaving the watchdog without a permanent leader at a critical moment.

The ICO enforces data protection and AI regulation in the UK. It can fine companies up to £17.5 million or 4 percent of global turnover. Under Edwards, the ICO took a tough stance on Big Tech, fining TikTok £12.7 million and Reddit over £14 million for children’s data violations.

Edwards framed privacy as a right, not a privilege, and promised fair enforcement. His departure leaves a leadership vacuum as the UK government reshapes the ICO under new laws expanding its remit.

New Data Complaints Law Raises the Stakes

On the same day Edwards resigned, a major change in UK data protection law came into force. The Data (Use and Access) Act 2025 requires every organisation handling personal data to have a formal complaints process. No exceptions. This applies to every data controller, from multinational tech giants to local councils and sole traders.

Before this law, individuals could bypass organisations and complain directly to the ICO. Now, complaints must first be addressed internally. Organisations must acknowledge complaints within 30 days and investigate promptly. Failure to comply can be used as evidence of non-compliance in regulatory action.

The ICO’s backlog of tens of thousands of complaints partly drove this shift. Routing complaints internally should reduce regulator overload and speed up resolutions. Yet, the ICO warns the new system will not tolerate inadequate complaint handling.

All organisations must accept complaints by any reasonable means, including email, phone, social media, or live chat. Complaints don’t need legal jargon to qualify. The ICO’s guidance is strict: no slipping through cracks.

What This Means for UK Data Governance

The ICO is currently a regulator in limbo. Its top commissioner is gone, replaced temporarily by his deputy. Ministers and MPs must decide Edwards’ fate, but no announcement is expected soon.

This leadership gap arrives amid widening powers and responsibilities for the ICO. The regulator is expected to enforce new AI rules while managing the largest overhaul of UK data protection since Brexit.

Critics already accuse the ICO of being toothless. Edwards’ unexpected exit fuels calls for a firmer watchdog. The next commissioner could either strengthen the ICO’s bite or confirm fears of regulatory weakness.

Meanwhile, organisations face a hard deadline to comply with the new complaints process. The ICO has made clear it will use complaint handling as a regulatory weapon. Poor internal processes will invite scrutiny and enforcement.

In short, the UK’s data governance is at an inflection point. The watchdog’s top office is empty, new laws demand more accountability, and the stakes for mishandling personal data are higher than ever.