Who Enforces the GDPR in the UK?

The UK General Data Protection Regulation (UK GDPR) is enforced in the UK by the Information Commissioner’s Office (ICO). Generally, the ICO are referred to as ‘the commissioner’ in the Regulation and have responsibility for oversight and enforcement of the UK GDPR and UK data protection laws.

About the Information Commissioner’s Office

The ICO is an independent regulatory office who report directly to Parliament. Chiefly, their role is to uphold the information rights of individuals in the public interest. In addition to their oversight of the UK GDPR, ICO also enforce the below legislation.

• The Data Protection Act 2018 (DPA18)
• The Privacy and Electronic Communication Regulations (PECR)
• Freedom of Information Act 2000
• The Environmental Information Regulations 2004

ICO’s mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. Furthermore, they can issue enforcement notices and fines for breaches in any of the laws they regulate.

ICO’s Data Protection Duties

The commissioners has a range of duties that have been set out in the UK GDPR. The below list is the main duties and obligations held by the ICO.

• To monitor and enforce the application of the UK GDPR & DPA18.
• To promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing (with specific attention on children).
• To advise Parliament/government on legislative and admin measures relating to data protection.
• To ensure controllers/processors are aware of their obligations under the UK GDPR.
• To handle complaints lodged by a data subject and investigate the issue(s) and inform the complainant of the progress and the outcome.
• To conduct investigations on the application of the UK GDPR.
• To establish & maintain a list in relation to the requirement for data protection impact assessments (i.e. for use of CCTV).

Tailoring the UK GDPR

Prior to Brexit the GDPR applied to all EU Member States, of which the UK was one of them. However, once the UK exited the EU, the GDPR remained in place as the main data protection regulation. To ensure it was still suitable and appropriate for the UK’s data protection framework, the UK GDPR needed some revisions and additions.

The GDPR was written into UK law via the Brexit Withdrawal Agreement and enacted as the UK GDPR. Furthermore, this was tailored by the Data Protection Act 2018 (DPA18) to ensure its continued suitability and relevance. Finally, the UK GDPR and DPA18 were further amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations. These came into force in 2019 and 2020 respectively.

Scope of the UK GDPR

The UK GDPR is separated into 99 Articles that each relate to a different area of the Regulation. In addition, the Regulation also contains 173 Recitals that must be read in conjunction with the main Regulation. Many of these provide additional context and build upon the rules set out in the Articles.