What has been the ICO’s attitude to GDPR enforcement?
Victoria Hordern of Bates Wells considers what we can learn from the ICO’s actions so far.
A law that is not consistently enforced is arguably not worth the paper it’s written on. The General Data Protection Regulation 2016/679 (GDPR) was designed to strengthen the rights of individuals and the powers of regulators. The GDPR deliberately has an anti-trust style approach to fines e.g. 2% or 4% of global annual turnover. It’s a framework which allows data protection authorities to bring out a hefty stick when they consider it to be justified. In particular, there had been concerns under the previous regime of the Data Protection Directive 95/46, that many EU Data Protection Authorities had limited ability to issue fines and so were without proper deterrents to punish bad practices. For sizeable multinationals, the fines that those Data Protection Authorities imposed were small change.