What is GDPR? Everything you need to know, from requirements to fines

Before the EU's General Data Protection Regulation (GDPR) came into force, the Information Commissioner's Office's (ICO) powers were limited to fining organisations a maximum of 500,000. This was considered significant at the time, but it pales in comparison to the penalties that have already been issued under the Data Protection Act 2018 and GDPR. On 8 July 2019, the ICO issued British Airways with a 183 million penalty for violations and just one day later levied a 99 million fine against hotel chain Marriott. These sums are 366 and 198 times the previous maximum penalty respectively. Elsewhere, Google was hit with a 50 million fine by French authorities, and at least 70 enforcement actions have been taken in total across the EU little more than a year after the new regulations came into force. But the destination of this money, which has the potential to exceed billions in the next few years, has been the subject of uncertainty. The relatively untested one-stop-shop principle, too, may lead to tensions brewing as data protection authorities wrestle over claims for jurisdiction with regards to mammoth investigations; think the likes of Facebook and Google where millions is at stake. There's finally the question as to whether data protection regulators, specifically the ICO, are well-funded enough to cope with greater investigatory workloads; and whether the advent of GDPR, and explosion in fines, means their need for additional funding will skyrocket. Myth-busting the fate of data protection fines The ICO clearly hasn't shied away from making big calls, as the BA and Marriott fines show, and it's been a common misconception that all this money goes directly to the ICO. Contrary to what many have at one time assumed, the ICO says it's never directly benefited from this money.

The reality is that this money is not channelled into the ICO's coffers but instead the Treasury's consolidated fund into which pours all general revenues including taxes and fines. This is then distributed as part of wider government spending. This isn't necessarily the case in every country across the EU, however, according to Helen Goldthorpe, a data protection specialist and commercial and IT lawyer with Shulmans. The ICO's equivalents in Denmark and Estonia, for example, can't issue fines directly and instead make recommendations to courts. Germany, meanwhile, has adopted a system whereby there are multiple regulators in each state. The process in Ireland involves a two-staged decision, first on whether there has been a violation, then on the nature of the penalty. The Spanish regulator, stands almost unique in that it has historically swallowed all the data protection fines it has levied. But Goldthorpe explains this led to accusations of a conflict of interest, and that the arrangement would have to change under GDPR. "Essentially the conflict is that if the regulator gets the money, then they have more of an incentive to fine," she says. "Their own self-interest may come into the decision as to what the fine should be, rather than the facts that they're meant to be taken into account." Factoring in the 'one-stop-shop' principle The harmonisation of data protection laws and fluid nature of data-sharing has led the European Data Protection Board (EDPB) to devise the one-stop-shop principle. It's a key concept under GDPR that kicks in when investigations involve adjudicating on cross-border data processing violations. Organisation alleged to have committed a violation in several jurisdictions are probed by a single regulator, nominated to serve as the lead supervisory authority. This regulator spearheads an investigation, takes on the costs involved, and handles any regulatory action that's demanded. The matter, thereafter, is generally considered to be settled.