Elizabeth Denham: 'GDPR is not about massive fines'

DataIQ News

Information Commissioner Elizabeth Denham has waded into the debate over GDPR fake news, pledging to clear up the misinformation about how businesses will be affected by the new data protection legislation.

In the first of a series of blogposts, designed to separate fact from the fiction, the Commissioner tackles the thorny issue of potential fines under GDPR, and pledges to publish future "myth-busting" blogs on consent, guidance, the burden on business and breach reporting.

Denham writes: "If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.

"So, I want to set the record straight. I want to bust the myths. Because I know that most organisations want to get the GDPR right when it comes into force."

With much of the media coverage focusing on the threat of fines of up to €20m (£17m) or 4% of global turnover, Denham insists: "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point."

She adds that it is "scaremongering" to suggest that the ICO will be making early examples of organisations for minor infringements or that maximum fines will become the norm, adding that "we have always preferred the carrot to the stick".

"Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense," Denham asserts.

"Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. But we intend to use those powers proportionately and judiciously. We have access to lots of other tools that are well-suited to the task at hand and just as effective.

"Like the Data Protection Act, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow. And you can’t insure against that."