Experts urge employers to focus on their areas of risk rather than possible penalties

Large fines under the General Data Protection Regulation (GDPR) will be reserved for only the most serious of breaches, rather than being the ‘norm’, the UK information commissioner has said.

The maximum fine under the regulations – €20m (£17m in the UK) or 4 per cent of annual global turnover – is significantly larger than those currently imposed by the Information Commissioner’s Office (ICO) for data breaches. The regulations have implications for recruitment processes, as well as for the information organisations hold on their employees.

However, in a blog post earlier this week, Elizabeth Denham, the Information Commissioner, said: “Thinking that GDPR is about crippling financial punishment misses the point.

“It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us… But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm.”

Denham pointed out that issuing fines had always been the last resort for the ICO and, of the 17,300 cases the office concluded last year, just 16 led to fines being imposed.

“With the ICO stating this week that the maximum fine won't be the norm, their aim is rightly to reassure organisations that this won't mean reaching a sudden 'cliff edge' – minor errors are very unlikely to result in multimillion-pound fines,” said James Drury-Smith, director of data protection legal services at PwC.

"What's important is that organisations take an approach to their GDPR preparations that is specifically tailored to the key areas of risk they face. If organisations start to think they'll be fined significant amounts for everything, that could create more panic than is necessary and could be unhelpful when they should be trying to put the right focus on areas to correct.”

The GDPR is due to come into force on 25 May 2018. The law stems from the EU but, on Monday, the Department for Digital, Culture, Media and Sport announced plans to introduce the law in the UK through the data protection bill.

Among other things, the proposed bill will create a right to be forgotten, make it easier to withdraw consent for personal information to be used and allow people to ask companies to erase whatever data they hold on them.

“The new data protection bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said Matt Hancock, digital minister. “The bill will give people more control over their data, require more consent for its use and prepare Britain for Brexit.”

Previous research has suggested that people are already mulling how they will use the rights when the law comes into force next year. A survey by data analytics company SAS, released last month, revealed that a fifth (21 per cent) of people intend to ask their employer or an ex-employer to delete the information they hold on them. A similar proportion (22 per cent) said they were contemplating using the GDPR to find out what personal data their employer has on them.


Related articles

Fifth of Brits would ask employers to delete personal details under GDPR

Businesses urged to ‘seriously think about overhauling’ data processes – or risk falling foul of the regulations

HR urged to make GDPR training ‘real’ and ‘relevant’

Fifth of IT decision-makers not confident their businesses will be fully compliant by next year