The ICO, for the second time in its history, has used the Computer Misuse Act (CMA) to achieve a prison sentence for someone who abused a position of trust to exfiltrate personal data from her employer in order to sell it.
The GDPR does not provide for prison sentences for this (or any other) sort of illegal behaviour.
ICO Utilises the Computer Misuse Act to Impose Penalties (natlawreview.com).
Although now more than 30 years old, the CMA clearly continues to play a useful role in today’s GDPR and privacy-aware world.
