UK Information Commissioner Elizabeth Denham has moved to dispel the two most common myths that, she says, are being associated with the coming General Data Protection Regulation (GDPR) legislation that will be enforceable in the UK from May 25.
GDPR Myth 1 – Massive GDPR Fines
In relation to the claim that massive fines are going to be common under the new leglislation Ms Denham has said that, regardless of the fact that the maximum fines for non-compliance are four percent of annual turnover or €20 million, they will not be the default punishment for every breach of GDPR.
She said “When we do need to apply a sanction, fines will not always be the most appropriate or effective choice. Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders are often more appropriate tools”.
GDPR Myth 2 – Total Breach Reporting
Secondly, in relation to the belief that every GDPR breach will need to be reported to the ICO, she said that this is not the case. Reporting a breach is only obligatory if it is possible it will pose a danger to an individual’s rights and freedoms. If the danger is high, the company at fault for the breach will also need to inform the people that it impacts. Denham said “Call our breach reporting line and you’ll get a human response; our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days.” She added “We’ve built a dedicated team to deal with data breach reporting and we’ll be extending the hours of the office to manage reporting under the GDPR and NIS Directive.”
Ms Denham took over the role of Information Commissioner in July 2016, having previously held the same role in British Columbia, Canada and Assistant Privacy Commissioner of Canada.