No one could blame you for being intimidated by the new maximum GDPR fine; it is, even by Bill Gates standard, a lot of money. For those of you that don’t know how much your business could be fined in future – it’s up to €20,000,000 or 4% of global annual turnover, whichever is higher.
This is the often quoted figure when reporting on the GDPR because it’s large and scary. €20,000,000 is enough money to afford you a private island in Florida, a few sports cars or even 23 orca whales, and I think we can all agree that any of those options are preferable to handing it over in fines.
Elizabeth Denham, the UK Information Commissioner at the Information Commissioner’s Office, thinks that worrying purely about the financial threat isn’t practical or even necessary. Denham is currently releasing a series of blogs with the aim of cleaning up some misconceptions, or ‘fake news’ about GDPR penalties. She thinks that the size of the maximum fine has got business owners stuck in the headlights, and worse, might lead to them missing the more practical steps that can be taken to avoid any penalties at all.
What not to worry about
Under the current regulation, the largest fine the ICO can hand out is £500,000 – a measly sum next to GDPR’s new maximums. Despite being smaller, even this fine has never been issued in full. TalkTalk, which you’ll no doubt remember suffered a very public data breach affecting 21,000 subscribers, was hit with a record fine from the ICO, but even that was £400,000, or 80% of the maximum £500,000 possible. More reassuringly, of the 17,300 cases opened last year, the TalkTalk fine was one of just 16 data breach cases which resulted in the ICO issuing a financial penalty.
Whilst it’s still not clear if the new GDPR maximum penalties will mean a proportional increase (80% of €20,000,000, instead of £500,000 for example), Denham suggests that the GDPR is not an excuse to start issuing much larger fines.
Information Commissioner’s Office (ICO)
The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
She writes: “Heavy fines for serious breaches reflect just how important personal data is in a 21st-century world. But we intend to use those powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.”
Instead of being hit with fines immediately, the ICO will consider the efforts taken by businesses to comply with the new regulation and have other means of encouragement which won’t leave you bankrupt, so you can still buy those orca whales if you really want to.
What to worry about
Whilst it’s nice to hear that multi-million fines are not hiding around the corner, and businesses will not be ‘made an example of’ as some feared, it’s still vital for business owners to pay close attention to the GDPR. Whilst your bank account might be able to relax a little more now, your obligations can’t.
No, the ICO does not plan to hit lots of companies with a maximum fine, but you are still putting your business reputation at risk by not showing a willingness and honest attempt to adjust and comply with the new GDPR regulation.
Denham continues: “…the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that.”
The TalkTalk breach and subsequent fine might not have come close to bankrupting the company, but that wasn’t the point of the fine, nor will it be post-GDPR. TalkTalk is now the go-to example of a massive data breach, and that is a reputation that can’t be bought back, even with €20,000,000.
For a deeper dive into the GDPR and a chance to put your questions to our experts, register for the first in our new series below: