ICO: fines will remain a last resort after 25 May

You may have read scaremongering articles about the high fines associated with the upcoming General Data Protection Regulation (GDPR). Fines of up to €20 million or 4% of annual global turnover for certain infractions against the new regulation has left some organisations wondering if the GDPR will leave businesses bankrupt.

At the Information Commissioner’s Office (ICO) Data Protection Practitioners’ Conference on 9 April 2018, Elizabeth Denham, UK information commissioner, reassured us that this would not be the case: “The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs.” Denham explained that enforcement would be a “last resort”, reserved for organisations that “persistently, deliberately or negligently flout the law”.

The ICO has “a whole new set of tools to motivate organisations towards compliance”. These include compulsory data protection audits, warnings, reprimands, enforcement notices and preventing organisations from processing data.

Denham mentioned the importance of data protection, not just what happens when it goes wrong (such as with Facebook and Cambridge Analytica), but that when data processing is done correctly it can “improve, ease and enrich our lives”.

She concluded that GDPR compliance is a journey that must continue beyond 25 May, adding “perhaps that’s when the real journey begins”.

Quick wins

Organisations who are beginning their compliance journey are unlikely to be fully compliant by the deadline but, as above, show that you’re doing your best and willing to comply to reduce enforcement should you suffer a breach early on. Read our Quick wins to demonstrate GDPR compliance– the key things to do now to demonstrate compliance.