In a blog, Elizabeth Denham says it’s nonsense to suggest her office will be handing out huge fines routinely once the General Data Protection Regulation comes into force
Fines will be the last resort under the General Data Protection Regulation, Elizabeth Denham, the Information Commissioner, has said.
In a blog published on the Information Commissioner’s Office website yesterday afternoon, Denham said she was concerned by reports suggesting the data regulator would be routinely handing out massive fines once the GDPR came into force on 25 May next year.
The EU legislation will impose more stringent privacy and consent rules on data-sharing and processing by charities, companies and other organisations, and will allow breaches to be punished with fines of up to £17m or 4 per cent of annual global turnover, whichever is larger.
Under the Data Protection Act 1998, which the GDPR will replace, the maximum fine is £500,000.
But in her blog Denham dismissed as “nonsense” predictions of huge fines based on previous penalties levied by the ICO and scaled up to the level allowed under the GDPR.
She said: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
Heavy fines for serious breaches reflected the importance of personal data in the 21st century, Denham said, but the ICO intended to use the powers the GDPR will grant it “proportionately and judiciously”.
In late 2016 and early 2017, the ICO investigated and issued fines totalling £181,000 to 13 charities for breaching data-protection rules after the Daily Mail and The Mail on Sunday newspapers carried out investigations into fundraising practices involving several major charities.
In February, Denham revealed that she had used her discretion to reduce the fines handed out by as much as 90 per cent because they were being issued to charities.
In her blog, Denham said the watchdog had always “preferred the carrot to the stick” in its approach to regulation.
“Just look at our record,” she said. “Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”
She said the ICO had yet to invoke the maximum powers available to it under the DPA.
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective,” she said.