Jackin - Fotolia
The European General Data Protection Regulation (GDPR) needs to be taken seriously by business, says UK information commissioner Christopher Graham.
“Fines up to €20m, or up to 4% of global turnover, mean the GDPR is serious about enforcement,” he told the IAPP Europe Data Protection Intensive 2016 conference in London.
“These are figures that should interest the boards of organisations, because they will certainly interest shareholders,” he added.
Graham said the GDPR is about enabling organisations to realise the benefits of the digital era without infringing on the privacy of individuals, but it is serious about enforcement for organisations that do not play within the rules.
He said it is no longer about big companies shrugging off fines of up to £500,000 by the Information Commissioner’s Office (ICO).
“This is serious money and serious enforcement that all organisations will do well to plan for very carefully,” he said.
Graham said a large part of being prepared is raising awareness in organisations. “This is something that is slap-bang on the risk register of any organisation, commercial or otherwise, and needs to be taken on board,” he said.
The role of the privacy professional, said Graham, is ensuring that organisations get all the benefits and find the opportunites that digital offers, while avoiding the risks and the pitfalls.
“It’s been said that we thought digital was the ‘new oil’ and then we discovered that it is also the ‘new asbestos’. Privacy is about managing the threats as well as the opportunities,” he said.
Read more about the GDPR
- The staffing impact of the GDPR will be huge, with 28,000 data protection officers (DPOs) in Europe alone, says the International Association of Privacy Professionals
- EU data protection rules affect everyone, say legal experts.
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
For this reason, said Graham, the ICO is very much about advice, guidance and enforcement to ensure the threats to personal privacy are properly managed.
“If organisations get too excited about the opportunities and don’t manage their way through regulation, they are not doing anyone any favours. There are ways to go after the opportunities safely, and if you don’t do that you are going to be in trouble,” he said.
According to Graham, the “clever thing to do” is for organisations to decide where they want to go, but making sure they do not disrespect individuals’ autonomy and the rights of citizens and consumers.
“The ICO is constantly going to be showing organisations how to get the growth and the excitement of doing things in new and exciting ways, but without disrespecting people’s privacy.
“Be ambitious, do what you want to do, but stick to the rules, and the Information Commissioner’s Office will be your ally; but get it wrong and you are going to be in trouble.”
Graham said the ICO is working to make it easier for organisations to comply with the GDPR when it comes into force in two years’ time.
This includes publishing guidance on the ICO’s website, such as 12 steps that organisations can take now, and a “toolkit” for small to medium-sized enterprises (SMEs) for ensuring compliance with the GDPR.
Graham said the ICO is “standing ready” with guidance and advice, and will be working with data protection authorities in Europe to help ease the implementation of the GDPR.