Introduction: the toolkit of supervision and enforcement
A regulatory system is only as good as the means by which it is supervised and enforced. The GDPR spreads enforcement firepower across many actors, not just regulators: the courts, markets, self-regulation|self-regulatory schemes, and citizens all hold power. National supervisory authorities are referred to throughout as regulators or data protection authorities (DPAs), and data subjects as citizens or individuals.
The premise of the chapter is that any regulation is only as good as the means by which it is supervised and enforced. Optimum regulatory efficiency does not vest power only in regulators - it also vests it in the courts, markets, self-regulatory schemes, and citizens. The GDPR (and the UK version since Brexit) incorporates all these tools.
Self-regulation - controllers and processors regulate themselves (and their processors)
Regulation by the citizen - complaints, judicial remedies, compensation, representative actions
Administrative supervision - the DPA|DPAs with their tasks and powers
The courts - judicial remedies and compensation claims
🔑 Key point
Terminology to lock in: national supervisory authorities = regulators / DPAs; data subjects = citizens / individuals. For many organisations, the primary risk of adverse scrutiny comes from citizens as litigators rather than from the DPAs.
Key terms - quick answers
What is “Supervisory authority”?
The independent national body in each member state charged with overseeing and enforcing data protection law; also called a DPA or regulator.
What is “DPA”?
Data protection authority - the member-state regulator (e.g. France's CNIL, the UK's ICO, Spain's AEPD).
What is “Self-regulation”?
Mechanisms where the regulated entity supervises and enforces its own compliance, e.g. accountability, DPOs, codes of conduct and certification.