GDPR – sorting the fact from the fiction

By Elizabeth Denham, Information Commissioner.

Fake-news-fines-blogThe General Data Protection Regulation comes into force on 25 May 2018.

That’s not new news. But it is a fact.

It’s also fact that not everything you read or hear about the GDPR is true.

For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead.

And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example.

But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.

GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.

For the record, these are all wrong.

If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.

So, I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force in 289 days.

This is the first in a series of blogs to separate the fact from the fiction. We’ll be publishing future myth-busting blogs on consent, guidance, the burden on business and breach reporting.

Myth #1:

The biggest threat to organisations from the GDPR is massive fines.

Fact:

This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.

Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.

And that concerns me.

It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.

And just look at our record:

Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.

And we have yet to invoke our maximum powers.

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.

Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

But we intend to use those powers proportionately and judiciously.

And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.

Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.

And you can’t insure against that.

elizabeth-denham-blogElizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
This entry was posted in Elizabeth Denham and tagged , , , . Bookmark the permalink.

93 Responses to GDPR – sorting the fact from the fiction

  1. Pingback: Information Commissioner gives guidance on GDPR consent - Cook Lawyers

  2. Pingback: Is your company going to be GDPR compliant? - Profits.plus

  3. nomadsquire says:

    Whilst it is reassuring to learn from the ICO that less than 0.1% of investigations last year resulted in fines, nonetheless the rules are sharpening up under GDPR and the likelihood is that the percentage of investigations that result in a fine will undoubtedly go up from the middle of 2018. But there’s more to be concerned about than just fines – the more onerous worry is the potential judicial remedies that are likely to be sought: a complaint may end up in a Court of Law, where the damages felt may be a lot more than any fine. There is also the issue of ‘Brand’, where the Press will have a field day ‘naming and shaming’ organisations that flout individuals’ Right to privacy… this is an area where the “principle of proportionality” laid out in the law cannot be controlled by Regulators and judges: the people will decide. Sadly, one only has to look at the TalkTalk case study to see the effects of a case gone awry that resulted in a massive dent in the trust of the company that led to some fearsome financial penalties, not least an impressive loss of share-value. I agree with the ICO that the bottom line, if you wish to avoid any of the above scenarios, is that you should simply comply with GDPR and put the privacy of any individual you deal with (in or outside of the EU) at the heart of everything you do, which is why priviness (the “privacy of business”) will become the de facto standard

  4. Guy Pyetan says:

    As I’ve been saying right from the start, the safest thing to do with GDPR is err on the side of caution. Make sure you have compliant, sensible, secure policies, processes and systems in place. If you do this then even if a case gets to court it will be in your favour thta you showed willing and did your best. It might not entirely eliminate a fine or even stop you having to make payouts but it could well mitigate them.

  5. I understand that the ICO is recruiting ex-police officers to investigate data breaches could you tell me what percentage of the total staff recruited in the last six months are ex-police?

    • icocomms says:

      Phillip in answer to your comment. 5.5% of the staff who have started work with the ICO in the last 6 months are ‘ex-police’. This means that they have worked with a police force, not necessarily that they were police officers.

  6. Pingback: GDPR – setting the record straight on data breach reporting | ICO Blog

  7. Pingback: Three Reasons why a ‘Wait and See’ Approach Will NOT Work with GDPR

  8. Darren Revell says:

    GDPR Myths this week. WordPress websites can’t achieve GDPR compliance. If you don’t have ISO accreditations you can’t be GDPR compliant. GSPR compliance can’t be given to suppliers with low credit scores. GDPR can’t be achieved if you keep your UK data on a German Server. That is just this week on LinkedIN and most all of them came from one firm.

  9. roger buckley says:

    I am assuming that the current bill will exactly mirror the European requirements of GDPR, and therefore we should plan for what we know are the European requirements. will you be providing a commentary on any variances introduced under the Bill’s passage ?
    thanks Roger

  10. Pingback: 8 GDPR myths - all busted! | E RADAR

  11. Tim Bartlett says:

    What is the impact and implication for business to business email marketing regarding consent? Thanks, Tim

  12. Pingback: GDPR – setting the record straight on data breach reporting | | OpSecure

  13. Pingback: The Data Protection Bill: A Summary | Blog Now

  14. Pingback: Damage to Reputation could be more Costly than GDPR Fines

  15. Pingback: GDPR: How prepared are you for May 2018?

  16. Gavin Griffiths says:

    Elizabeth Denham, this is a really well written piece which puts in place the ICO stance on this new law. It’s a little shocking that some comments after this seems to still bypass the mindsets of people!
    I think where some are falling down today is the understanding that most (if not all) large companies with personal data are not flippant by the way they protect this information currently.

    Meaning, not a great deal has to change within!

Leave a Reply