General Data Protection Regulations: greater transparency and greater fines
Written by Samuel O'Toole on 27 October 2017« Return to Reading Room
The General Data Protection Regulations (GDPR) is coming into force on 25 May 2017 and whilst it will provide a more transparent framework to acknowledge personal data it will also provide for greater fines and conditions.
Fines are not new to the Information Commissioners Office (ICO) The Data Protection Act 1998 gives the ICO the power to grant fines up to a maximum of £500,000. Although it may not grant this maximum amount very often, there have been a number of recent cases where fines of £400,000 have been imposed. Back in May Keurboom Communications Ltd was a party to 99.5 million marketing nuisance calls, the ICO did not take kindly to this and imposed a fine of £400,000. However, Keurboom Communications Ltd did not do its self any favours as the record level fine was imposed after it failed to comply with the ICO’s investigations.
Talk Talk was also fined £400,000 in October after it failed to prevent a data breach and where 150,000 customers’ data was at risk.
However, these fines may only be a drop in the ocean when compared with the section 150(5) and (6) of the new Data Protection Bill, the sections provide that both controllers and processors of personal data may be subject to fines of:
– a lower threshold of €10m or 2% of annual worldwide turnover; and
– a higher threshold of €20m or 4% of annual worldwide turnover.
This may explain why many data controllers and processors have recently been conducting audits and overhauling their data protection policies and protocols. The Information Commissioner, Elizabeth Denham, recently explained that: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GPDR. We have always preferred a carrot to the stick.”
For a long time now, the Information Commissioners Office has regarded fines as a last resort, and this may still be the case with the GDPR. Although figures have suggested that the number of fines are on the up, in 2015 the ICO imposed 11 fines, 2016 saw that figure rise to 34 and 2017 to date has already seen 49 fines by the ICO.
In addition to greater fines the GDPR will also provide for improved transparency in the processing and handling of personal data. A key requirement will see that the processing and handling of personal data will require the “freely given, specific, informed and unambiguous consent” of the individual.
Want to speak
Complete the form below and we’ll call you back free of charge.