With the date that the new European Union General Data Protection regulations comes into force (May 25, 2018) getting ever closer, so has the talk on news sites and by bloggers as to its content and its effects on organizations of all kinds across the world. However, according to the UK’s Information Commissioners Office (ICO) who are in charge of overseeing the implementation of GDPR in the UK, not everything that you read about the General Data Protection Regulations are true.
Speaking in the first of a series of blogs on the implementation of the new European Union General Data Protection Regulations, Elizabeth Denham, the Information Commissioner says:
“For the most part, writers, bloggers and expert speakers have their facts straight. And what they say – and sometimes challenge – helps organisations prepare for what’s ahead. And there’s a lot to take in. The Data Protection Bill announced this week gives more detail of the reforms beyond the GDPR, for example. But there’s also some misinformation out there too. And I’m worried that the misinformation is in danger of being considered truth.”
She goes on to list some of the myths that she has heard. “GDPR will stop dentists ringing patients to remind them about appointments” or “cleaners and gardeners will face massive fines that will put them out of business” or “all breaches must be reported under GDPR”. I’ve even read that big fines will help fund our work.”
For the record, she says, all of these statements are incorrect. In view of such misinformation, Denham has announced that the Information Commissioner’s Office will be publishing a series of blogs to help to bust the myths that surround GDPR and separate fact from fiction. She says: “If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.”
The first myth that Denham tackles is that the biggest threat to organisations from the General Data Protection Regulations is the large fines that can be imposed on them for non-compliance. She says: “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
She goes on to say that it is true that the Information Commissioner’s Office will have the power to impose fines that are much better than the current limit of £500,000 under the Data Protection Act and will be able to issue fines of up to £17 million or 4% of turnover, whichever is greater. However, these will be a last resort and they will not be looking to make examples of organisations.
“…it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm,” she said, adding that the ICO will continue to guide, advise and educate organisations about how to comply with the law as set out in the ICO’s Information Rights Strategy.