ICO dismisses claims that the GDPR will lead to massive fines

The Information Commissioner’s Office (ICO) has dismissed as “nonsense” claims that it will be regularly issuing massive fines to organisations that fail to comply with the EU General Data Protection Regulation (GDPR).

The GDPR, which takes effect on 25 May 2018, gives supervisory authorities the power to issue fines of up to €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – but Elizabeth Denham, who heads the ICO, says those measures will be a last resort.

She made the comment in the first of a series of blogs that will “separate the fact from the fiction” regarding the media coverage of the GDPR.


Denham acknowledged that the majority of reporters “have their facts straight”, but pointed to wild claims about how the ICO will use its punitive powers. Claims that “cleaners and gardeners will face massive fines that will put them out of business” or that “big fines will help fund our work” are simply wrong, she said.

Since the GDPR was passed, the threat of fines has been used to emphasise how important it is to comply with the Regulation. But Denham said: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

For instance, the Register suggested that, had the GDPR been in effect last year, the ICO’s fines would have been 79 times greater. It added that the Regulation would have had a “catastrophic” effect on small and medium-sized enterprises, potentially putting them out of business.

And that figure only accounts for fines the ICO already levied. Referring to the GDPR’s strengthened compliance requirements, the Sun claimed that the ICO will soon fine organisations “just for sending an EMAIL”.

Denham responded: “Just look at our record. [Last year] we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”

She added that, as with current laws, the ICO will only levy fines if its other possible sanctions – warnings, reprimands and corrective orders – are not appropriate. “While these will not hit organisations in the pocket – their reputations will suffer a significant blow,” she said.

Don’t get complacent

The ICO’s warning shouldn’t be taken to mean that you don’t have to worry about being fined. Financial punishment may well be a last resort, but if organisations put the ICO in that position, it will respond accordingly.

As Denham said: “Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

“But we intend to use those powers proportionately and judiciously.”

To avoid putting your organisation in that position, you need to understand the GDPR’s requirements and know how to apply them. We offer two GDPR training courses to help you prepare for the Regulation:

Certified EU General Data Protection Regulation Foundation (GDPR) Training Course

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

Book these courses together in our Combination Course and save 15%.