GDPR and fines

It seems the Information Commissioner’s Office (ICO) is getting a little fed up with misinformation about the General Data Protection Regulation (GDPR) and so are publishing a series of blog posts “sorting the fact from the fiction”. We tend to agree with the ICO on this – there is a lot of misinformation about the GDPR, articles speaking as though this is the first time businesses have had to worry about data protection, or companies pushing their services as though their product (which only addresses one element of data protection) is the solution to total GDPR compliance; plus there’s a lot of organisations out there using GDPR as the sales hook when they appear to know very little about data protection compliance as a whole.

Interestingly, the ICO’s first post in the series is about fines. Data protection fines are something we get asked about quite a bit. Most recently we were asked to confirm by a couple of companies that there was a set procedure with an ICO investigation, and that fines were step 3 in their process – i.e. there was a chance to get away with a breach a couple of times before you’d get a fine. Plus the GDPR maximum fines of 4% of global turnover or €20m is often the stick being waved to get businesses to realise the seriousness of GDPR compliance. Or another common assumption is that data protection only applies to large corporates processing large quantities of consumer data.

You only have to look at ICO investigations and action they’ve taken to see that there is no rule to their approach other than their enforcement of citizens’ rights to have their data and privacy protected.

Proportionality

The thing to consider when it comes to fines is proportionality. If you look at the simple fact that under the Data Protection Act 1998, the ICO has the ability to fine up to £500m, but the largest fine they’ve enforced was against TalkTalk for their breach back in 2015 (as a result in TalkTalk’s failings to protect customer data which led to a cyber attack which resulted in the theft of customer data).

The same is going to be true under GDPR. Yes, the GDPR allows for fines of up to 4% of global turnover or €20m (whichever is the largest) but this does not mean that this is what fines the ICO will be dishing out for breaches when the GDPR becomes UK law next May. This is the point of the ICO’s myth busting post: as they put it “this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.” They go on to confirm that they “intend to use [GDPR] powers proportionately and judiciously”.

Existing enforcement

You then need to look at some examples of where the ICO have taken action to see that their approach really depends on the circumstances.

Basildon Borough Council, for example, were fined £150,000 for publishing sensitive personal data. But, in the case of Royal Free NHS Trust and Google Deepmind the ICO issued an enforcement notice to the Trust setting out changes needed in it’s procedures – no fine was issued, even though millions of patients’ records were shared with Deepmind (a machine learning service owned by Google) without proper consent from the patients.

Preparation: policy, process, people

When it comes to data protection compliance it’s about making sure your business has the policies and procedures in place and your employees understand their responsibilities under those policies and procedures.

Whilst there is no formula that sets out the procedures the ICO follows when it’s alerted to a potential breach, if you’re able to demonstrate that you’ve at least thought about compliance and your responsibilities and instilled in your business a data compliance ethos you’ll probably be in a good position should the ICO investigate. There’s no guarantee you won’t be fined, but you’ll be in a better position than a business that’s unable to demonstrate they’ve considered how data protection impacts their business.

Act now

Data protection laws, the GDPR, apply to every business, large or small. Sticking your head in the sand and ignoring them because you think you’ll never get found out, isn’t a compliance strategy – an ICO investigation, fine or even enforcement notice could be the end of your business – even if the fine doesn’t get you, your business reputation could be at risk.

So, what should you do? The GDPR is a complex piece of legislation, but at the risk of over simplifying it, following these steps will get you on the right road to compliance:

  1. Carry out a data protection audit – look at what data you store and process, what systems you’re using and what policy and procedures your business has in place relating to data protection; then assess these against what’s required by the GDPR and come up with a plan of action on how to address your data compliance.
  2. Make sure you have policies and procedures in place across your business about how you take data protection seriously and what that means for your business. This will enable your staff to understand your expectations and their responsibilities
  3. Put in place staff training: general training for all staff and specialised training for specific teams who handle your data (e.g. sales, support, customer services, marketing, etc.)
  4. Make sure you keep the business up to date on training, policy reviews and changes in the law – don’t forget, as well as the GDPR coming into force in May 2018, we have the Data Protection Bill, ePrivacy regulations and Brexit happening at various times across the next couple of years
  5. Make sure your business is prepared for ongoing compliance. Getting your business compliant with data laws is not a box-ticking exercise. As well as ongoing training and review you need to make sure you can deal with subject access requests and other individuals’ rights including the new GDPR rights of data portability and right to be forgotten

The Digital Compliance Hub can help with all of this. It provides guidance and toolkits (included a GDPR Audit Plan) and we have a support hotline to help you if/when you have any questions or are uncertain about some aspect of compliance. Furthermore, we can also offer consultancy services including GDPR audits, ongoing management and training.

You’ve got until May to get yourself GDPR compliant, so for most businesses that’s probably enough time if you start looking at it now.