Out-Law News 1 min. read
14 Aug 2017, 4:12 pm
Elizabeth Denham rejected that concern as "scaremongering" and said that other predictions that businesses will routinely face "maximum fines" under the new General Data Protection Regulation (GDPR) were misplaced.
She said she was concerned that businesses might believe the GDPR is "about crippling financial punishment", and said it was a "myth" to say that the biggest threat to organisations from the GDPR is "massive fines".
Denham said: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA (Data Protection Act) allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
The Information Commissioner's Office (ICO) will only issue fines under the GDPR as "a last resort", she said. Denham also took issue with forecasters who believe the level of fines imposed under the GDPR will simply be a "scale up" of penalties issued under the Data Protection Act.
"Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense," Denham said. "Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously."
Under the GDPR, the ICO will consider other sanctions for non-compliance beyond its powers to issue fines, Denham said.
"While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective," she said. "Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that."
The GDPR, finalised last year, will apply from 25 May 2018. The UK government recently set out a statement of intent which contained its broad plans for a new Data Protection Bill. The Bill is expected to be introduced before the UK parliament next month. While the GDPR will have direct application in the UK, the new Bill will contain UK-specific rules to account for the various obligations, derogations and exceptions provided for in the Regulation.