WhatsApp was first ordered to stop sharing personal data with Facebook in November 2016 after the ICO, which opened an investigation into the issue in August that year, said it had concerns that Facebook was not being "fully transparent".
The ICO announced today that it has completed its 14-month investigation, which concluded that the practice would have been unlawful, even though WhatsApp has consistently denied any wrongdoing.
Information Commissioner Elizabeth Denham said: "WhatsApp has not identified a lawful basis of processing for any such sharing of personal data. If they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act."
The ICO said WhatsApp had "failed to provide adequate fair processing information to users in relation to any such sharing of personal data", adding that the sharing of such data "would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained".
WhatsApp has agreed to sign the undertaking not to share personal data with Facebook until it can do so in compliance with GDPR, which comes into force in May.
"I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case," Denham said. However, she added: "I would also like to stress that signing an undertaking is not the end of story and I will closely monitor WhatsApp's adherence to it."
The French data protection authority (CNIL) is in the process of bringing enforcement action against WhatsApp, while other EU data protection authorities also have ongoing investigations.
WhatsApp said in a statement: "We collect very little data and every message is end-to-end encrypted. As we've repeatedly made clear for the last year, we are not sharing data in the ways that the UK Information Commissioner has said she is concerned about anywhere in Europe."