When the UK left the European Union in January 2021, GDPR regulation duties were passed to the UK's domestic governing body; The ICO (Information Commissioner's Office).
The ICO is an independent authority, which was set up to uphold UK citizen's information rights, promoting openness by public bodies and upholding data privacy for individuals. The ICO covers many types of legislation, all relating to protecting and governing the way that UK citizen's private data is collected, stored and used. These include The Data Protection Act, Privacy and Electronic Communications Regulations, Freedom of Information Act and NHS Regulations.
Penalties for breaching GDPR
Even though we are no longer part of the European Union, we retained the guidelines as setout by the EU when GDPR was first introduced in May 2018.
Failing to comply with the requirements of GDPR carry some pretty hefty penalties. A company or organisation found to be in breach of GDPR can be fined up to 20 million euros or 4% of their annual global turnover.
The ICO is able to fine any amount that is deemed appropriate, up to a cap of 20 million euros (or the sterling equivalent). Fines have been imposed on companies in breach of GDPR quite frequently over the last few years, these have mainly been for sending unsolicited direct marketing to consumers.
In September 2021 we saw Sports Direct fined £70,000 for sending 2.5 million spam emails. We Buy Any Car fined £200,000 for sending 191 million spam emails and Saga fined £150,000 for sending nuisance text messages.