The ICO’s take on ‘effective, proportionate and dissuasive’ GDPR enforcement action

The ICO’s draft policy on fines looks to improve transparency and consistency. By Emily Morgan and Alexander Dittel of Wedlake Bell LLP.

Even after four years of the General Data Protection Regulation (GDPR) being in force, enforcement action by supervisory authorities in Europe and the Information Commissioner’s Office (ICO) in the UK is often received with a sense of surprise. Headlines about seemingly trivial(1) or excessive(2) fines are often contrasted with reports about apparent regulatory inaction.(3)

However, regulators are not the only show in town. Over the last ten years, privacy advocates have emerged as a driving force seeking to defend people’s data protection rights. At the same time, a new generation of data privacy professionals who advise organisations on a daily basis look at regulatory practice for guidance. Understandably, inconsistent regulatory action could lead to conservative and defensive advice, excessive spending on superfluous compliance exercises, misinformation of the public through an opportunist media, and, of course, legal challenges of the regulator at public expense.

Continue reading

UK Report subscribers: please login to access the full article.

If you wish to subscribe, please see our subscription information.