The ICO has launched a blog series to address the common misconceptions around GDPR. Concerns that come through on their hotline include “GDPR will stop dentists ringing patients to remind them about appointments”, “all breaches must be reported under GDPR” or “cleaners and gardeners will face massive fines that will put them out of business”.
None of these is true. This blog addresses and simplifies three of the most common myths surrounding GDPR.
The ICO will cripple us with massive fines for non-compliance
The punitive powers of the ICO under GDPR are widely published, with the maximum fine rocketing up from £500,000 under the current Data Protection Act (DPA) to an explosive £17 million or four per cent of global turnover under GDPR.
However, Information Commissioner Elizabeth Denham does not welcome “the scaremongering” around this and stresses that her office does not plan on “making early examples of organisations for minor infringements or that maximum fines will become the norm.” Perhaps worth noting use of the word “early”.
To add credence to Denham’s stance, consider that last year – 2016/17 – the ICO closed 17,300 cases and only 16 were issued fines. None of these regulation breakers were faced with the maximum fine. In fact, during the time since the DPA was introduced, the ICO has never (so far, anyway) gone the whole hog on their fining capabilities.
We must report all personal data breaches to the ICO – and immediately
Under GDPR, personal data breaches need only be reported if the breach has put individual’s rights and freedoms at risk. For example, if it could lead to financial loss, damage to reputation or discrimination.
So if the breach is unlikely to risk people’s rights and freedoms, there’s no need to report it either to the ICO or the people involved. If you’re not sure, contact the ICO and they can advise.
In terms of having to report immediately, the ICO states that “under the GDPR there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms without undue delay and, where feasible, not later than 72 hours after becoming aware of it”.
In fact, under GDPR, an organisation doesn’t have to have all the details immediately; they can provide more later. The ICO does, though, make it clear that they would expect you to advise them of:
- the potential scope of the breach
- the cause of the breach
- mitigating action you plan to take to manage the breach
- what you plan to do to address the underlying problem that led to breach
Data breach reporting is all about punishing organisations and generating revenue in fines
While the ICO has colossal punitive clout, Denham highlights the whole point behind the regulations: to protect consumers and push organisations to “step up their ability to detect and deter breaches… not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
To help you and your organisation prepare for GDPR, Me Learning has teamed up with industry experts to develop a series of GDPR e-learning courses. To find out more click here.