Will you pay the price for breaching the GDPR?
Comments by Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office (“ICO”), at the CDPD conference in Brussels may bring some level of comfort to businesses concerned about the changing fine regime under the GDPR. He said, “…don’t expect a large fine on 26 May. For the first thing, some investigations take 8-12 months to complete”.
Under the existing law, fines for data protection breaches are capped at £500,000. However, from the 25 May 2018, the ICO will have the ability to issue much greater fines. For serious breaches of the GDPR, fines will be capped at €20 million or 4% of global turnover (whichever is higher) and, for lesser breaches of the GDPR, fines will be capped at €10 million or 2% of global turnover (again, whichever is higher!).
Mr Eckersley’s statement reiterates the ICO’s earlier comments in its “myth-busting blogs” in which the ICO suggested that, “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
On the other hand, more cynical observers may point to the fact that the ICO is looking to increase its resources in order to deal with GDPR compliance issues as a sign of the changing approach of the ICO. They may also point to recent fines of £400,000, £350,000 and £300,000 (in the last two months alone) as collaborative evidence of the ICO’s willingness to impose significant fines for serious breaches. The ICO’s 2016/2017 Annual Report also revealed a record number of fines raised by the ICO under the Privacy and Electronic Communications Regulations. According to Mr Eckersley, the ICO is looking to recruit an additional 100 to 150 people to work on aspects of the GDPR and cyber security in response to the predicted 30,000 breach notifications per year.
The statement does serve as a useful reminder that there are a number of other powers available to the ICO rather than imposing fines. It can issue enforcement notices and, in the case of a minor breach, or where a fine would be disproportionate to the breach, a warning may be issued rather than a fine.
In addition, there are other wider significant commercial risks for non-compliance. Perhaps the greatest risk for data breaches has always been the associated reputational damage and the ICO has, somewhat unhelpfully, been keen to reiterate that point in recent months. Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of the breach. Many businesses will also have major concerns about potentially facing group class actions for data breaches, particularly following the judgment in the Morrisons case in December 2017 (Various Claimants v VM Morrisons Supermarket PLC  EWHC 3113).
Whilst we hope that Mr Eckersley’s comments provide some comfort to businesses concerned about their exposure under the GDPR, the best way to avoid being subject to any enforcement action by the ICO post May 2018 is to take steps now to make sure that your house is in order before May.
If you would like more information on the GDPR and the changes that we should be expecting you can contact Arjun Majumdar, or you can give us a call on 0345 070 6000.
We are also hosting a GDPR: An Introduction seminar on Thursday 29 March at our Milton Keynes office. If you're feeling overwhelmed by the GDPR and need some guidance, you can book your place here.