GDPR - what will happen?

The never to be seen upper limits of GDPR fines are a lot bigger than current DPA fines.

There will be enforcement, and it will be easier to enforce GDPR regulations than it was for the DPA 1998, e.g:
- data subjects no longer have to prove that there was a data breach, they just have to show that some harm was done. So the 'bar' will be lower;
- companies must make data subject's consent to opt out more explicit (so, no more odd-looking tick boxes or double negatives that trick you into accepting marketing material or having your PII sold). Burden of proof shifts from data subject to the organisation;
- data breaches used to incur a £500K fine. Now the fine will be 2-5% of annual turnover;
- subject access requests no longer incur a fee, and data can be extracted and sent electronically. Data subjects will no longer have to ponce about paying cheques and waiting loads of time for redacted bits of paper to arrive in the post;
- nature of personal data now extended to include online identifiers like IP addresses and cookies - companies will no longer be able to claim these aren't within the meaning of PII;
- it's an EU-wider regulation (unlike DPA), so harder for companies to hide in different jurisdictions;

There's more, but the above gives a good flavour. So yes, it'll be easier for the ICO to enforce. Ignorance will be no excuse!

There will be enforcement, and it will be easier to enforce GDPR regulations than it was for the DPA 1998,

- data breaches used to incur a £500K fine. Now the fine will be 2-5% of annual turnover;

Liability is also being extended from the current Data Custodians to the current Data Processors as well. Currently organisations that process data on behalf of the custodians of that data are not subject to enforcement under DPA. That will change with GDPR.

Fines are potentially up to 4% of Global turnover.