These slides show that, although the (UK) GDPR mandates strong enforcement and a prioritisation of this by the regulator including through the handling of data subject complaints, severe limitations exist in practice. Indeed, in 2022-23 the Information Commissioner’s Office (ICO) did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only 4 GDPR fines totalling (after later adjustment) less than £0.2M. The Tribunal has removed any substantive bite to the individual order to progress complaints remedy and the Parliamentary Committees have failed to provide effective holistic scrutiny. There is a case for some of the legislative reforms now proposed including reconstituting the ICO as a corporate board and increasing transparency. However, others risk providing a de jure entrenchment of the ICO’s positioning away from being a comprehensive upholder of core data protection rights. None directly address the serious challenges present here but a two-fold approach would do so. The order to progress complaints should police the appropriateness of the ICO’s substantive as well as procedural response and not-for-profit representative complaints should be permitted even without the mandate of data subjects in order to encourage well-argued, strategically important cases. Second, and at least as importantly, the Equality and Human Rights Commission should be obliged to periodically provide holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective within which data protection rights must ultimately sit. These slides are based on a full Working Paper which may be viewed here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284602