It has been over a year since the General Data Protection Regulation (GDPR) came into force – and it did so with great fanfare. The GDPR had the effect of overhauling how personal data is dealt with across Europe, introducing the ‘gold standard’ of protection for the rights and freedoms of EU data subjects. At the same time the UK enacted the Data Protection Act 2018 (DPA).

By far the most radical change implemented by the GDPR over the previous regime was giving supervisory authorities the power to impose potentially huge fines for breaches of its provisions.

The level of fine that can be imposed depends on the nature and seriousness of the failure. GDPR Article 83 provides that in the case of a firm or company breaching the obligations imposed on it, such as the basic principles for processing personal data, the maximum fine available to the Information Commissioner’s Office (ICO) is €20 million or 4% of the firm or company’s total annual worldwide turnover, whichever is higher.

Unsurprisingly, the potential for such huge fines created a media furore not only in the UK but also internationally. It is only this month, however, that the ICO publicly announced its first uses of the significant firepower available to it.

Click here for the full GT Alert, which discusses the two cases.