GDPR update: News about fines and consent
This article is a brief update on important information provided by the Information Commissioner’s Office (“ICO”) in the last 2 weeks.
An update on fines
The ICO has said that it does not intend to start issuing huge fines on the day after the GDPR comes into force. The primary aim of the GDPR is to enable individuals to have better control of their personal data and to enhance data subjects’ rights. The ICO says “…it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
Many might see this as a somewhat contradictory statement in light of the ICO’s 2016/17 Annual Report, which revealed a record number of fines raised by the ICO under the Privacy and Electronic Communications Regulations (“PECR”). The annual report also revealed that the number of complaints from data subjects was on the rise, up to 18,300.
The ICO also refute the suggestion that it will use big fines to help fund its work, but hasn’t clarified how it intends to deal with the funding shortfall which is caused by the removal of notification fees from May 2018.
If nothing else, the ICO’s note ends on a less than helpful tone with a reminder that the biggest tool in the ICO’s arsenal is the damage to reputation caused by any investigation it undertakes, whether or not it ends in an administrative fine.
An update on consent
The issue of consent has been perhaps one of the most popular GDPR topics over the last 5 months as businesses grapple with the ICO’s draft guidance. This guidance has been highly controversial and the ICO’s recent note on consent does little to address many of the technical points which remain unresolved. One of the main controversies is the apparent need for consent notices to name third parties to whom personal data will be shared, something which the current PECR guidance and the GDPR do not specifically require.
The ICO’s blog on consent is helpful in explaining that consent is not the only legal basis on which personal data can be processed.
The ICO’s consultation period for the consent guidance closed in March 2017 and the final version was due to be published this summer. However, that timetable has been pushed back to coincide with EU wide guidance on consent which is due to be published in December 2017. The ICO state that they “…know many people are waiting for us to publish our final guidance on consent… but the ICO’s draft guidance is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.”
This observation is arguably unhelpful. The ICO has form for making minor changes to the guidance which have the effect of substantially changing the operational outcomes of businesses prior to the implementation of new law (as a case in point, the ICO’s change of guidance regarding implied consent for cookie notices in May 2013 is a notable occasion). Whatever your view, the ICO’s draft consent guidance is an important indication of the direction of travel, if not the final destination.
We act for many businesses to help them get ready for the GDPR. If you would like to find out more about what we are doing or require support or advice, please contact Matthew Holman.
We will be hosting a breakfast seminar in September for those who are new to the GDPR or want to attend an introductory session. If you would like to attend, sign up here.
More details about our specialist round table workshops will be published soon, with the next series due to take place in October.