Ms Helen Dixon:

Under the GDPR, which is a direct effect regulation, we have a range of corrective measures that we can apply. We can order the cessation of processing. We can require an organisation to bring its processing into compliance based on findings that we issue. In addition to the corrective measures that we can apply, we can impose punitive fines. The intention is that where we do identify infringements under the GDPR, we are obliged to consider the application of the administrative fines and we have to do it in a way that is intended to be a deterrent. It has to be proportionate, dissuasive and effective in terms of its application.