The biggest threat to organisations from the GDPR is massive fines.
This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.
And that concerns me.
It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.
But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.
Our Information Rights Strategy – a blueprint for my five-year term in office – confirms that commitment.
And just look at our record:
Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
And we have yet to invoke our maximum powers.
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense.
Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.
But we intend to use those powers proportionately and judiciously.
And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.
Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.
And you can’t insure against that.
You must have consent if you want to process personal data.
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.
Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.
Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.
The new law provides five other ways of processing data that may be more appropriate than consent.
‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working to publish guidance on it next year.
But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.
Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.
But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.
I can’t start planning for new consent rules until the ICO’s formal guidance is published.
I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.
Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.
Reproduced from content on the UK Information Commissioner's Office website. For further information please visit www.ico.org.uk