tashka2000 - Fotolia

ICO hits out at misinformation about GDPR

The Information Commissioner’s Office has warned against misinformation about the EU’s new data protection rules and how they will be applied

UK information commissioner Elizabeth Denham has warned that not everything written or said about the EU’s General Data Protection Regulation (GDPR) is true, assuring UK businesses that they will not be hit with fines for minor infringements and that maximum fines will not become common.

For the most part, commentators have their facts straight, she said. “But there’s also some misinformation out there. And I’m worried that the misinformation is in danger of being considered truth,” she wrote in a blog post.

For example, said Denham, it is not true that the GDPR will stop dentists ringing patients to remind them about appointments, that the GDPR requires all breaches to be reported, or that the big fines will help fund the ICO’s work.

“If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability,” she said.

With less than 10 months to go before the GDPR compliance deadline, Denham said she would be publishing a series of blogs to “bust the myths” and “separate fact from fiction” to help organisations to be compliant by 25 May 2018.

The first myth Denham tackled is that the biggest threat to organisations from the GDPR is massive fines. “This law is not about fines,” she said. “It’s about putting the consumer and citizen first. We can’t lose sight of that.”

Denham said it is true that the ICO will have the power to impose fines much bigger than the £500,000 limit set by the Data Protection Act, and that companies are fearful of the maximum £17m or 4% of turnover under the planned UK data protection law.

“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm,” she said, adding that the ICO will continue to guide, advise and educate organisations about how to comply with the law as set out in the ICO’s Information Rights Strategy.

Read more about GDPR

Denham said issuing fines has always been, and will continue to be, a last resort, pointing out that in past year, the ICO dealt with 17,300 data protection cases, but only 16 of them resulted in fines.

The ICO has yet to invoke its maximum penalty, she said. “Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.”

Denham said the UK fought for increased powers when the GDPR was being drawn up because heavy fines for serious breaches reflect just how important personal data is in a 21st century world.

“But we intend to use those powers proportionately and judiciously,” she said. “And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools.”

These include sanctions to help organisations comply – warnings, reprimands and corrective orders.

Denham said future myth-busting blogs will cover topics such as consent, guidance, the burden on business and breach reporting. .........................................................................................................................

Read more on Privacy and data protection