GDPR – How will the GDPR be enforced?


The GDPR and UK Data Protection Act 2018 are in full force, and some businesses will be compliant with the new data privacy laws, while others will not.

The GDPR not only enhances data privacy rights of individuals but provides for new and improved regulatory powers for the Information Commissioner’s Office (ICO).

So who are the ICO and what does the GDPR mean for businesses facing a data breach or are found to be non-compliant?

Who are the ICO?

The ICO is the UK’s independent body that is responsible for ensuring businesses comply with UK data protection laws and the GDPR. They uphold individual’s data rights and issue penalties to companies found to be mishandling data or in breach of their obligations.

What do I do if there has been a data breach?

The GDPR makes it mandatory that businesses report any serious data breaches to the ICO within 72 hours, especially if the breach affects the rights or freedoms of the individual whose data has been compromised. For example if there is a substantial risk of identity theft, discrimination or financial loss. You must also tell the individual affected of the breach.

Less serious breaches may not require notifying the ICO, but these cases must be decided on a case-by-case basis. If in doubt, you should consult your appointed Data Protection Officer (if you have one) or the person responsible for data protection compliance within your organisation.

How should I make the report?

You should make a report on the ICO website. When making the report, you should state what has happened, why and how the breach occurred and how you plan on resolving the situation and protecting against the breach happening again the future.

What powers does the ICO have?

Under the GDPR, the ICO has vastly more powers of enforcement, including investigative powers, compliance (corrective) powers and issuing financial penalties.

Investigative powers

When the ICO has been informed of a data breach, potential or real, the ICO is provided with more powers to investigate. These include:

  • ordering the data controller and the data processor to provide information that the ICO requests
  • carrying out a data compliance audit of the business
  • reviewing certificates
  • notifying the data controller or processor of any alleged infringement of the GDPR
  • obtaining access to all personal data and all information that is deemed necessary by the ICO
  • obtaining access to any premises where data is stored or processed.

Compliance powers

The ICO also has the power to issue corrective measures when investigating a data breach. Some of the corrective powers that can be imposed by the ICO could have a considerable impact on the day-to-day running of a business. These include:

  • issuing warnings
  • issuing reprimands
  • ordering the data controller or the processor to comply with the data subject’s requests to exercise their rights under the GDPR
  • ordering the controller to tell individuals of a data breach if their personal data was compromised
  • imposing a temporary or definitive ban on processing
  • ordering the rectification, restriction or erasure of personal data
  • withdrawing a certification or ordering a certification body not to issue a certificate
  • imposing administrative fines

Enforcement powers

The ICO now has stronger enforcement powers and can impose higher financial penalties. The ICO can issue heavy fines of up to €20 million (approximately £17 million) or up to 4% of an organisation’s annual global turnover.

The ICO has confirmed, however, that these top end fines will be rare and reserved for only the most serious breaches.

So what should you be doing now?

Well, if you’re not yet compliant you should start checking your business to make sure you become compliant.

Ensure you have policies and processes in place (such as a Website privacy policy or Data protection and data security policy) that can help avoid or minimise the risk of data breaches in the first place. Keep records of all data breaches and processes you have. Liaise with IT teams to implement any technical measures to protect personal data and get staff trained on dealing with subject access requests and handling personal data.

You should get a solicitor to review your current agreements with your customers, vendors and suppliers. A GDPR check will identify which documents need to be redrafted. If you and/or your business need help to comply with the GDPR, Ask a lawyer

Alan Cheung

Paralegal at Rocket Lawyer
Alan is a paralegal at Rocket Lawyer UK. He has a law degree from the University of Westminster and has recently graduated from the Legal Practice Course at BPP Law School. He is passionate about employment law and intellectual property and strongly believes in accessible and affordable legal services.
Alan Cheung