All of the EU’s member states must provide one or more independent supervisory authorities (or regulators), which must act independently of the government and must be provided with adequate resource to undertake their duties. In the UK the regultor is the Information Commissioners Office (ICO).
All entities which process personal data must register with their regulator regardless of withere they are a data processor or a data controller. More detail is available here.
Supervisory Authorities’ Tasks
- Monitoring the application of GDPR
- Promoting public awareness
- Handling complaints raised
- Give advice on processing operations when consulted
- Review certifications and conduct accreditation of certification bodies
- Approve binding corporate rules
Supervisory Authorities’ Powers
- The power to investigate through data protection audits
- Corrective powers through:
- warnings,
- reprimands,
- limitations on processing
- Withdrawal of certifications
- Impose administration fines
- Suspend data flows to third countries
- Authorisation and advisory powers
Entities operating in more than one state can choose a lead regulator for all their pan-EU activities in order that they need liaise with only one. These lead authorities will monitor compliance in respect of cross-border processing by an organisation whose main establishment is in that Member State.
