Main content

ICO - Maximum fines under GDPR will be “last resort”

Derek du Preez Profile picture for user ddpreez August 9, 2017
The Information Commissioner’s Office wants to assure businesses that only in extreme cases will businesses face fines of up to £17m or 4% of turnover.

The Information Commissioner’s Office has hit out at the media for reporting misleading information about the EU’s soon to be implemented General Data Protection Regulation (GDPR), which will come into effect in the UK from 25 May 2018.

Information Commissioner, Elizabeth Denham, outlined in a blog post this week that there is “misinformation out there” and sought to assure businesses that the maximum penalties that are possible under GDPR, £17 million or 4% of turnover, will only be used in the most extreme cases.

GDPR seeks to update existing data protection regulations for member states and the UK has committed to implementing the new law, despite having decided to leave the European Union in the referendum last summer.

Businesses and policy advisers have warned that not keeping aligned with the EU on data regulations would make it very difficult for businesses to trade with the Union after Brexit. The UK government has also said that GDPR will be the gold standard for citizen rights as it relates to data protection.

GDPR has a number of requirements, which include:

  • a requirement for consent – businesses will need to ensure that all customers know that you have their data and that they consent to the business having that data
  • businesses will have three days to report data breaches to both the authorities and customers
  • the Right to be Forgotten – customers will have the right to ask businesses to delete all of their data, and to prove that they have
  • data portability – the aim being to create an environment where businesses can easily swap their data between different providers, whilst ensuring the data is erased from the old provider’s systems.
  • hefty fines for data breaches will be introduced – up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.

Earlier this week the UK government formally announced its intention to introduce the new Data Protection Bill to parliament, which essentially brings GDPR into UK law.

Information Commissioner Denham this week, however, has said that the media is “scaremongering” about the new maximum penalties (at the moment the ICO can only fine up to £500,000) and said that the ICO will attempt to separate the fact from the fiction over the coming weeks.

Denham writes:

The General Data Protection Regulation comes into force on 25 May 2018. That’s not new news. But it is a fact. It’s also fact that not everything you read or hear about the GDPR is true.

I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force in 289 days.

Don’t panic

Unsurprisingly, much of the media’s headlines have focused on the ICO’s increased powers as it relates to fining organisations under the new GDPR legislation. However, Denham doesn’t want organisations to fear this too much, pointing to the ICO’s track record in using the maximum penalty under the existing Data Protection Act (it hasn’t ever fined an organisation the maximum possible £500,000).

Instead, Denham wants businesses to focus on the fact that GDPR is about “putting the consumer and citizen first”.

She says:

Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. And that concerns me.

It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

Denham highlights that last year the ICO concluded 17,300 cases and only 16 of them resulted in fines for the organisations concerned.

She added that the ICO will have a host of other tools available to it under GDPR, not just fines, which will help it keep businesses in check. Denham writes:

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.

Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.

And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

My take

Fines will be issued, but it seems that the ICO is wanting to keep businesses calm. However, that doesn’t take away from the fact that complying with GDPR is a huge undertaking and research has indicated that many are woefully underprepared. There’s under 300 days left until GDPR comes into effect in the UK, leaving very little time to get your house in order.

A grey colored placeholder image