From 25 May, Elizabeth Denham will have the power to issue fines of up to 4% of a business' annual global turnover, or €20 million, whichever is highest, where they are responsible for certain breaches of the new General Data Protection Regulation (GDPR). Other types of breaches could attract fines of up to 2% of annual global turnover, or €10m.
However, on Monday, Denham said she plans to stick with the Information Commissioner's Office's (ICO's) existing approach to enforcement when the GDPR begins to apply. She described enforcement as "a last resort".
"I have no intention of changing the ICO’s proportionate and pragmatic approach after 25 May," Denham said in a speech at the ICO's annual data protection practitioners conference. "Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law."
"Those organisations that self-report, engage with us to resolve issues and can demonstrate effective accountability arrangements can expect this to be a factor when we consider any regulatory action," she said.
Denham said that there are other enforcement options beyond fines that the ICO could use to improve compliance.
"When we do need to apply a sanction, fines will not always be the most appropriate or effective choice," Denham said. "Compulsory data protection audits, warnings, reprimands, and enforcement notices are all important enforcement tools. The ICO can even stop an organisation processing data."
"None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on their reputation and, ultimately, their bottom line," she said.
Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said that Denham's comments make it clear that the ICO's enforcement strategy will "include audits, reprimands, warnings and prohibition notices". She said this reflects action the ICO has taken to-date.
"The ICO's 2016/2017 annual report does demonstrate that the ICO uses advisory visits, audits and risk reviews as a way in which to manage compliance," Gillespie said. "However, companies should not be complacent as the report also showed that there were more fines for breaches of e-Privacy laws than ever before, with 23 fines totalling nearly £2 million, and 16 fines issued for breaches of the Data Protection Act, totalling more than £1.6m."
Gillespie said that a further trend is the increase in the number of criminal cases the ICO is pursuing. According to its annual report, there was a 50% increase in the number of criminal cases resulting in conviction last year, and prosecution for section 55 offences increased by 267%, she said.
"The GDPR is raising the stakes – whilst the information commissioner has indicated her intention to remain committed to proportionate enforcement action, it is likely that with increased public awareness of data protection and the requirement to report serious breaches, enforcement will be a key concern for businesses when the Regulation begins to apply," Gillespie said.