It is now less than 12 months until the implementation of the General Data Protection Regulation (GDPR) in the UK and I have started to notice significant numbers of publications and press releases from various organisations which suggest that there will be a change in regulatory approach towards breach of the GDPR and imply that there will be a more aggressive approach towards penalties. Many of these publications dwell on the increase in potential maximum fine to 20m Euro or 4% of global business turnover without really reflecting upon the present approach of the Information Commissioner’s Office (ICO) towards fines and examining how often the ICO applies a maximum penalty under the present regime.
It seems to me that this type of sensationalist approach will not offer the most accurate analysis of how the new regime will work. There also seems to be a correlation between the authors of some of these press releases and the increasing pool of businesses which are offering “training” on the GDPR (it is often illuminating how many of these businesses are themselves in breach of the GDPR provisions – usually due to a failure to publicise a compliant privacy statement on their websites).
There is no doubt that the new legislation will provide scope for potentially large awards and a significant increase upon the existing maximum penalty of £500,000, but there is no evidence which is presently available to suggest that there will be a change in the regulatory approach of the ICO. The existing ICO guidance on issuing monetary penalties confirms that factors such as the economic impact of penalties upon the operation of a business will be a factor to be considered before the decision is made to impose a fine and I expect that this approach will continue. There is little benefit to society if the consequence of a fine is a terminal impact upon a business and this type of practical consideration will continue long after the new legislation takes effect.
Additionally it is worth noting that the ICO has never imposed a fine up to, or even close to the maximum level under the present regime. The unfortunate record holder being Talktalk who received a fine of £400,000 following their massive data breach in 2016 and it is likely that following the implementation of the GDPR future penalties will be broadly consistent with past decisions.
While the threat of “super fines” may be something of a sales tactic, it undoubtedly makes sense for businesses to begin examining their data policies and ensure that they will be best placed to meet the obligations under the new regime next May.
Anyone requiring advice and support on data protection and people issues is invited to contact the author at gunnercooke solicitors on 0330 2233288 (email firstname.lastname@example.org)