UK GDPR—sanctions and enforcement

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • UK GDPR—sanctions and enforcement
  • Monitoring and enforcement of the application of the UK GDPR—roles and powers
  • The ICO
  • Duties of the Information Commissioner
  • Powers of the ICO
  • Activity reports
  • Further guidance on the ICO
  • Investigative powers
  • Information notices
  • Assessment notices
  • More...

UK GDPR—sanctions and enforcement

This Practice Note examines the approach to sanctions and enforcement under the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (the UK GDPR). It considers:

  1. the role and powers of the Information Commissioner (acting through the Information Commissioner’s Office (ICO))

  2. the ICO's investigative and corrective powers, powers to fine and appeals and safeguards in relation to ICO enforcement action

  3. compensation claims by data subjects

  4. representative and group actions

  5. criminal sanctions

  6. links to guidance tracking the ICO’s enforcement activities

  7. other compliance incentives in practice

For a general introduction to the UK GDPR regime, see Practice Notes: The UK General Data Protection Regulation (UK GDPR). The processing of personal data by competent authorities for law enforcement purposes or by the intelligence services, which is governed by specific regimes under Parts 3 and 4 of the Data Protection Act 2018 (DPA 2018), is beyond the scope of this Practice Note.

For guidance on the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) regime and equivalent laws under the EU GDPR, see Practice Notes: Introduction to the EU GDPR and UK GDPR and EU GDPR—sanctions and enforcement.

The main approach to sanctions and enforcement that has been taken under the UK GDPR (as with the EU GDPR) is to retain high penalties for non-compliance, in the hopes of producing higher levels of compliance because

Popular documents