UK ICO dispels GDPR myths
4 May 2018 | 0
Reports on the imminent General Data Protection Regulation (GDPR) have featured so much misinformation that UK Information Commissioner Elizabeth Denham has had to dedicate much of her time separating myths from facts.
Denham elaborated on the truth behind the biggest GDPR myths at a data protection conference in London.
Myth 1: Massive fines will be routine
Headlines on GDPR have been dominated by the maximum fines for non-compliance of four percent of annual turnover or €20 million, but they will not be the default punishment for every breach of the regulation.
The ICO wants to encourage voluntary compliance ahead of issuing draconian penalties.
“When we do need to apply a sanction, fines will not always be the most appropriate or effective choice,” said Denham. “Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders are often more appropriate tools.
“None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line.”
She added that to reduce the risk they should engage with the ICO, show them effective accountability, and report breaches to them when necessary.
The UK ICO has generally been viewed as taking a fair and pragmatic approach to enforcing data protection. It has yet to invoke its maximum powers, and last year issued fines in only 16 of the 17,300 cases it concluded. Nonetheless, Denham warned that the ICO would take tough action if required.
“Hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law,” she said.
Myth 2: You need to report every breach to the ICO
The eye-popping potential fines have led many people to worry about how they will report every breach of GDPR. In many cases, they will not need to inform the ICO.
The danger that a breach poses to the people concerned will determine whether it needs to be reported. Reporting a breach is only mandatory if it is likely to pose a risk to a person’s rights and freedoms. If the risk is high, the organisation responsible for the breach will also need to inform the people that it involves.
The ICO has improved the reporting process for any breaches of the GDPR that requires their notification.
The new service can handle 30,000 reports a year. To help organisations understand whether they need to notify the ICO of a breach, a telephone-based reporting service has been created to provide a fast and direct entry point.
“Call our breach reporting line and you’ll get a human response; our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days,” said Denham.
“We’ve built a dedicated team to deal with data breach reporting and we’ll be extending the hours of the office to manage reporting under the GDPR and NIS Directive.”
Organisations across Europe have been looking to information and data protection commissioners for a steer as to how enforcement will play out after the 25 May deadline. Commentators here have said that the Irish Data Protection Commissioner Helen Dixon may lead with a request for documentation to assess levels of compliance, before more intense measures are brought to bear.
The comments from the UK ICO would seem to indicate a carrot before stick approach that may reassure many organisations, however, concern remains high as final preparations are made to achieve compliance.
IDG News Service and TechCentral Reporters