Information Commissioner Elizabeth Denham has branded claims that the regulator is chomping at the bit to issue massive fines under GDPR “scaremongering”, insisting that her office has always preferred “the carrot to the stick”.
Denham’s remarks come in the first of a series of “myth-busting” blog posts planned by the ICO and published to coincide with this week’s Government announcement that a new Data Protection Bill will enshrine GDPR into UK law.
Denham writes: “Not everything you read or hear about the GDPR is true. If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. And that concerns me.”
Although she confirms that the ICO has the power to impose fines much bigger than the current £500,000 – a maximum €20m (£17m) or 4% of turnover – she adds: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Denham insists that issuing fines has always been and will continue to be, a last resort; a policy which was highlighted recently by research and analysis company Quocirca. Last year the ICO concluded 17,300 cases, yet only 16 resulted in fines for the organisations concerned. It has never invoked its maximum powers.
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense, she says.
Denham adds: “I’ve read that some organisations are considering taking out insurance to mitigate against the prospect of huge fines. This seems odd – surely insurers will expect effective compliance measures before taking on the risk? So why not simply concentrate on complying with the law rather than trying to avoid the consequences of falling foul of it?
“Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously.”
Denham concludes: “Like the Data Protection Act, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that.”
Business leaders welcome new UK Data Protection Bill
ICO action analysis reveals reticence to issue huge fines
Revealed: the ‘dirty dozen’ of GDPR fake news stories
Firms face bombardment of data requests under GDPR
Insurance firms face deleting ‘two-thirds of their data’
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws