ICO to take proportionate actions for GDPR non-compliance
As the May deadline draws ever closer, businesses should of course be doing all they can to get as close as possible to GDPR compliance. We know this can be particularly tough for small companies with limited budgets to engage outside consultants to help guide them through the process. And with constant reminders of the price you’ll pay if you don’t get your house in order (a maximum of €20m or 4% of annual turnover, whichever is higher), it’s not something that can wait.
But business and other organisations don’t need to panic that they’re going to be hit with a big fine on the morning of the 26th May (investigations can take up to 12 months, for a start). The above figures are an extreme example, and the ICO has indicated that it won't be issuing fines for breaches or non-compliance in every case, according to the ICO’s Steve Eckersley. Instead, they could demand an audit or issue warnings, relying on the fact that damage to reputation, in many cases, will be the main deterrent.
That being said, you shouldn’t take the ICO’s announcement as a cue to relax your preparations.
Speaking at the CDPD Conference in Brussels, Eckersley said that the ICO is boosting its numbers by an additional 100-150 people - just to focus on the GDPR aspects and cyber security.
But it’s not all down to the ICO. DPAs across the EU will be expected to issue fines for most GDPR breaches, even without the ICO cracking down from day one. Paul Nemitz, from the European Commission explained:
“It may be hard to change the culture but DPAs will just have to do that. If not, they will find themselves before the courts”.
So whilst the ICO may be culturally minded to take a more light pragmatic view than, say, its German equivalent, because the GDPR is being applied directly across all member states, enforcement will also be harmonised. This may mean that enforcement will drift to the highest rather than lowest common denominator such that the ICO may not have the discretion to be as light touch as it would like.