GDPR – sorting the fact from the fiction

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Elizabeth Denham, Information Commissioner.

Fake-news-fines-blogThe General Data Protection Regulation comes into force on 25 May 2018.

That’s not new news. But it is a fact.

It’s also fact that not everything you read or hear about the GDPR is true.

For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.

And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example.

But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.

GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.

For the record, these are all wrong.

If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.

So, I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force in 289 days.

This is the first in a series of blogs to separate the fact from the fiction. We’ll be publishing future myth-busting blogs on consent, guidance, the burden on business and breach reporting.

Myth #1:

The biggest threat to organisations from the GDPR is massive fines.


This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.

Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.

And that concerns me.

It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.

And just look at our record:

Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.

And we have yet to invoke our maximum powers.

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.

Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

But we intend to use those powers proportionately and judiciously.

And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

And you can’t insure against that.

elizabeth-denham-blogElizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
This entry was posted in Elizabeth Denham and tagged , , , . Bookmark the permalink.

118 Responses to GDPR – sorting the fact from the fiction

  1. Pingback: Is your GDPR compliant? – James Gould's Blog

  2. Pingback: Information Commissioner gives guidance on GDPR consent - Cook Lawyers

  3. Pingback: Is your company going to be GDPR compliant? -

  4. nomadsquire says:

    Whilst it is reassuring to learn from the ICO that less than 0.1% of investigations last year resulted in fines, nonetheless the rules are sharpening up under GDPR and the likelihood is that the percentage of investigations that result in a fine will undoubtedly go up from the middle of 2018. But there’s more to be concerned about than just fines – the more onerous worry is the potential judicial remedies that are likely to be sought: a complaint may end up in a Court of Law, where the damages felt may be a lot more than any fine. There is also the issue of ‘Brand’, where the Press will have a field day ‘naming and shaming’ organisations that flout individuals’ Right to privacy… this is an area where the “principle of proportionality” laid out in the law cannot be controlled by Regulators and judges: the people will decide. Sadly, one only has to look at the TalkTalk case study to see the effects of a case gone awry that resulted in a massive dent in the trust of the company that led to some fearsome financial penalties, not least an impressive loss of share-value. I agree with the ICO that the bottom line, if you wish to avoid any of the above scenarios, is that you should simply comply with GDPR and put the privacy of any individual you deal with (in or outside of the EU) at the heart of everything you do, which is why priviness (the “privacy of business”) will become the de facto standard

  5. Guy Pyetan says:

    As I’ve been saying right from the start, the safest thing to do with GDPR is err on the side of caution. Make sure you have compliant, sensible, secure policies, processes and systems in place. If you do this then even if a case gets to court it will be in your favour thta you showed willing and did your best. It might not entirely eliminate a fine or even stop you having to make payouts but it could well mitigate them.

  6. I understand that the ICO is recruiting ex-police officers to investigate data breaches could you tell me what percentage of the total staff recruited in the last six months are ex-police?

    • icocomms says:

      Phillip in answer to your comment. 5.5% of the staff who have started work with the ICO in the last 6 months are ‘ex-police’. This means that they have worked with a police force, not necessarily that they were police officers.

    • Marcus Sangster says:

      I used to chair the policy committee in the Forester’s professional body. We had an issue with the Gangmasters and Labour Abuse Authority (GLAA) who explicitly targeted small self-employed contractors and micro businesses, intimidating them to take out unnecessary licences at considerable cost. Much easier targets than the criminals the legislation was intended for and intended purely to raise money. The only prosecutions in my sector were for not having licences, none at all, ever, for poor labour practices. They employed ex-police officers as enforcers. When I reported this to the overseeing civil service department they gave my identity to the GLAA illegally who then (illegally) approached my employer and labelled me as a troublemaker. No action was taken on my complaint. This seems to be normal behaviour for government agencies with these types of powers. So why would the Information Commission behave any differently? Who is going to stop them abusing their powers in the same way as the GLAA? Can the Commissioner give an absolute guarantee that there will be no budgetary targets set for income from fines and enforcement? Pigs might fly.

  7. Pingback: GDPR – setting the record straight on data breach reporting | ICO Blog

  8. Pingback: Three Reasons why a ‘Wait and See’ Approach Will NOT Work with GDPR

  9. Darren Revell says:

    GDPR Myths this week. WordPress websites can’t achieve GDPR compliance. If you don’t have ISO accreditations you can’t be GDPR compliant. GSPR compliance can’t be given to suppliers with low credit scores. GDPR can’t be achieved if you keep your UK data on a German Server. That is just this week on LinkedIN and most all of them came from one firm.

  10. roger buckley says:

    I am assuming that the current bill will exactly mirror the European requirements of GDPR, and therefore we should plan for what we know are the European requirements. will you be providing a commentary on any variances introduced under the Bill’s passage ?
    thanks Roger

  11. Pingback: 8 GDPR myths - all busted! | E RADAR

  12. Tim Bartlett says:

    What is the impact and implication for business to business email marketing regarding consent? Thanks, Tim

  13. Pingback: GDPR – setting the record straight on data breach reporting | | OpSecure

  14. Pingback: The Data Protection Bill: A Summary | Blog Now

  15. Pingback: Damage to Reputation could be more Costly than GDPR Fines

  16. Pingback: GDPR: How prepared are you for May 2018?

  17. Gavin Griffiths says:

    Elizabeth Denham, this is a really well written piece which puts in place the ICO stance on this new law. It’s a little shocking that some comments after this seems to still bypass the mindsets of people!
    I think where some are falling down today is the understanding that most (if not all) large companies with personal data are not flippant by the way they protect this information currently.

    Meaning, not a great deal has to change within!

  18. NGP says:

    How will Brexit affect this? After Brexit, I assume the ICO be responsible for enforcing UK data protection law, not EU GDPR? How will the EU regulate UK companies trading within the EU?

    • Nobody knows!

      The Regulations are a set of instructions from the European Union, around which our Parliament will formulate the British law – The GDP Bill – which has yet to have its second reading in Parliament. There are provisions in the Regulations for local flexibility. Once the Bill is passed it will become subject to British law. (I am saying British not UK, because I don’t know whether there are separate laws being written for Scotland and Northern Ireland.) That would have been the case whether we were in the EU or not. We have always written our own laws, and we have the power of veto over EU regulations around which our laws are formed.

      Initially, the GDP Bill means that our law coheres with the other EU member states. However, as time passes, there may be amendments to our laws which are at odds with EU law and that may lead to restrictions on trading. For example, the government say they want to scrap the Human Rights Act. The exemptions under the GDP Bill for freedom of expression may or may not disappear when that happens. Should that happen, it would adversely affect my business. As Britain creates its own laws that are independent of Europe, lawmakers in the EU might not accept the UK as being safe for them to share data with. (This is all crystal-ball-gazing speculation, not a certainty.)

      I’m sure the government will let us know what’s going to happen by writing it on the side of a bus.

  19. I follow the privacy news from a range of EU countries, and I find that the UK ICO by some margin is the authority that seem to suggest that it will make only limited use of the punitive measures despite these being written into the law. Can the UK ICO offer the readers any insight to EU-issued guidelines supporting it in it’s repeated promises that it will not administer its powers to issue the larger fines as per written into the law? I have no memory of seeing similar public statements from any other EU Data Privacy authorities.

    On the same token, what is the situation with regards to the UK seat at the European Data Privacy Board for when UK leaves EU? Will organisations in the EU countries be able to appeal UK ICO rulings in UK Data Privacy matters to the CJEU in cases where EU organisations finds the UK ICO is unfairly lenient to UK organisations thereby offering UK organisations a competitive advantage over its EU competitors? More importantly, will the UK ICO follow CJEU rulings with regards to its application of the punitive measures, after UK has left the EU?

    If the UK ICO do not intend to utilise its powers given within GDPR, would it not be more appropriate to declare a moratorium / temp suspension of the punitive regime under GDPR, thereby giving all UK organisations certainty that it will not be penalised for non-compliance come 25th May 2018.

  20. Pingback: Information Commissioner's Office Dispels GDPR Myths

  21. Pingback: Spamtraps and GDPR -

  22. Pingback: GDPR Myths: Sorting fact from fiction - Venturi Group : Venturi Group

  23. Pingback: GDPR Myths: Sorting fact from fiction - Venturi Group US : Venturi Group US

  24. Pingback: UK Recruiter Everything Recruiters Need to Know About GDPR - UK Recruiter

  25. Pingback: Making data protection fit for digital government – FutureGov | Public Sector Blogs

  26. Anonymous says:

    make sure all the information is protected

  27. Pingback: GDPR: Administrative Fines for Data Breach, 4% or 2%? - Froud on Fraud

  28. Pingback: General Data Protection Regulation (GDPR) | Are You Ready?..

  29. Paul Riddle says:

    BBC iPlayer is insisting on registration before use and I do not want information on what I watch shared with third partied as suggested in their terms & conditions. Yet I pay my licence fee which covers iPlayer. What can I do?

  30. Pingback: 10 of the most important cyber security articles of 2017 | CYBSAFE | Resource Centre

  31. Pingback: GDPR is not Y2K | ICO Blog

  32. Pingback: Web Links: 3 January 2018 – Dimitar's Blog

  33. Pingback: GDPR – it’s all about technology and fines, isn’t it? | Identity, Security & Me

  34. Gary says:

    I have read this article more than once and Ive been working in GDPR for over the last 12 months in one form or another. I would like more understanding on the point made here by the Information commissioner. I believe Elizabeth has written this article in good faith and without prejudice.

    However I read a recent publication from the Article 29 Data Protection Working Party adopted 3rd of October 2016/679. Guidelines on the application and setting of administrative fines for the
    purposes of the Regulation 2016/679.

    And within this article are specific areas where supervisory bodies such as the ICO must be consistent with other member states.

    The publication states!
    Consistent enforcement of the data protection rules is central to a harmonised data protection regime. Administrative fines are a central element in the new enforcement regime introduced by the
    Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together
    with the other measures provided by article 58.

    In particular, according to article 70, (1) (e), the European Data Protection Board (hereafter ‘EDPB’)
    is empowered to issue guidelines, recommendations and best practices in order to encourage
    consistent application of this Regulation and article 70, (1), (k) specifies the provision for guidelines
    concerning the setting of administrative fines.

    So my question is, if a supervisory body in another member state, lets say Germany imposes heavy fines for data breaches on a typical SME, do other member states have to be consistent with their fines.

    And then does this mean each supervisory body will be keen to establish what basis that consistency should be on.

  35. Anonymous says:

    16 cases out of 17,000 led to fines. Seems like this is another means of entertaining waste of our taxes. How much did it cost to pander to 17,000 case investigations?

  36. John Hindle says:

    I really appreciate all your comments and input from a commercial perspective, but what about the little guy? The non-professional ‘Joe Public’ who runs or administers a small non-profit making club or society? They were exempt from the procedural requirements under section 36 ‘domestic’ of the DPA, but now it is totally unclear whether the ‘replacement’ section 18 (or Directive 2016/680/EC, depending on what you are reading) referred to as ‘purely personal and household activities’ covers the same thing. There are thousands of such clubs Europe-wide. After the May implementation, are such administrators compliant or are they criminals? It beggars belief that such a fundamental activity is not clearly defined. Has anyone got a definitive answer to this, or should I resign from my little clubs before May 25th?

Leave a Reply