GDPR – Information Commissioner sorts the fact from the fiction
The General Data Protection Regulation comes into force on 25 May 2018, bringing with it significant changes to data protection law. However, according to the Information Commissioner, not everything you currently read about the GDPR is true.
In a blog post, Elizabeth Denham stated that she wanted to set the record straight:
“I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force.”
The first in a planned series of blogs, the post focuses on the ‘myth’ surrounding the so-called biggest threat of the GDPR for businesses – massive fines.
“Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point,” argues Denham.
“It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us. It’s also true that companies are fearful of the maximum £17m or four per cent of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
The Commissioner highlights the ICO’s record in issuing fines under existing legislation:
“We have always preferred the carrot to the stick,” she says. “Issuing fines has always been and will continue to be, a last resort. Last year (2016/17) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”
Denham does not deny, however, that increased powers were fought for when the GDPR was being drawn up, commenting that heavy fines for serious breaches reflect just how important personal data is in a 21st century world. However, she also highlights the other sanctions available to help organisations comply, such as warnings, reprimands and corrective orders.
“While these will not hit organisations in the pocket – their reputations will suffer a significant blow,”
As well as financial fines, some of the most significant changes due to come into force under the GDPR include those relating to:
- obligations applying to data processors (under current rules most of the legal obligations rest with the data controller);
- the need to appoint data protection officers;
- mandatory notification of breaches in some cases; and
- enhanced rights of data subjects.
Due to these significant changes the Information Commissioner’s Office has set out 12 steps to help organisations prepare for the GDPR.
Information on this and other upcoming changes is available in Val Surgenor’s blog, Data protection: fast approaching changes for employers