0800 0482 737

Keep Calm and Follow GDPR

Keep Calm and Follow GDPR

With only days remaining before GDPR comes into force, there is still a degree of uncertainty around some of the fining powers that the Information Commissioner's Office (ICO) will have under the Regulations. The maximum fine under the present law is £500,000. Under GDPR, this increases to £17 million or 4% of the company’s global turnover; whichever is higher. So naturally, with the new powers coming into force, organisations are highly concerned about how they will be exercised by the ICO.

Fining powers under GDPR 

Some data controllers have reacted to the new fining powers under the GDPR by requesting unlimited or unreasonably high liability caps for data processers. Unfortunately, there has been no formal guidance that has been provided by the ICO in respect of their new fining powers. ICO Commissioner Elizabeth Denham has given some insights in a speech on 23rd March 2018, she said; 

"The GDPR increases and intensifies my regulatory armoury – from issuing warnings or reprimands to fining those that deliberately, consistently or negligently flout the law up to £17 million or four per cent of annual global turnover, whichever is greater. I can even stop an organisation from processing personal data. This regulator will have teeth! But I prefer the bark to the bite and my office is committed to prevention over punishment."

 

Based on the above statement, fining a company will be an action that is taken very sparingly by the ICO and only against those that ‘deliberately, consistently or negligently flout the law”. In cases which do not fall in this category of behaviour, the ICO will issue warnings or reprimands to encourage GDPR compliance rather than immediate punishment. 

The risk of being fined

Judging by the Commissioner’s speech, the ICO will focus it’s punitive measures on companies who deliberately flout the law or are grossly negligent in relation to their processes. They will be the ones that are at risk of being fined. An example of this type of case is that of Cambridge Analytica, if what’s alleged against them is proven. But, in relation to companies who are effectively trying to comply with GDPR, and have put in place effective measures and do not seek to deliberately flout the law, they will not be at risk of being fined if they breach GDPR. If there was an error or a mistake which breached GDPR, then the ICO would consider a warning or reprimand prior to fining.

If data controllers or processors are in fear of the ICO’s new powers under GDPR, all they need to do to mitigate their risk is to be compliant and to cooperate and do the right thing in terms of internal processes to ensure compliance. In the likely event that a breach occurs, the company is not at any real risk of being fined.

Keep Calm and Follow GDPR

Companies who ‘do the right thing’ and work towards full compliance need not be concerned by the additional fining powers as they are unlikely to be the targets in the event of a breach and data controllers should therefore focus on their data processors overall compliance with GDPR and the measures that the processor has put in place to ensure compliance; rather than liability caps. After all, liability caps do not make data processes any more secure; but a data processor who has in place adequate data security and other measures will substantially mitigate the risk of a GDPR breach and an ICO fine. We therefore need to ‘Keep Calm and Follow GDPR’.

SD Worx product compliance 

For more information, view our GDPR Whitepaper, where we highlight the steps we have taken to ensure our products and solutions are compliant. 

Related articles:

Download whitepaper

About the author

Leon Daniel
Head of Legal

Leon is Head of Legal at SD Worx and also the Company Secretary. He has substantial commercial and technology law experience garnered from an extensive legal career within industry. 

Leon joined SD Worx from the FTSE top 30 company, Centrica PLC and has held Senior Counsel roles at Ascential PLC (formerly EMAP); Affinion International and JDA Software. He has considerable experience drafting and negotiating complex, high value commercial deals.