The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and there are plans for a UK Data Protection Bill that closely reflects the GDPR.
Amongst the headlines for the GDPR are fines of €20m or 4% of annual turnover (whichever is greater) for failure to comply. There are other changes such as data breach reporting, new obligations on data processors and higher standards for consent. However, the UK's data protection regulator, Elizabeth Denham, has sought to quell what she sees as 'scaremongering' and separate fact from fiction.
Yes - it is fact that the fines could dwarf the current maximum of £500,000 and be that big, in theory. However, the reality is that the regulator will not be making early examples of organisations for minor infringements or that maximum fines will be the norm. Ms Denham said she always preferred the carrot rather than the stick and that would not change.
She has vowed to use the powers to issue fines "proportionately and judiciously".
She said in her first blog of the series: "The UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21st century world. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand just as effective."
In the second of her blogs, Ms Denham went on to address the issue of consent. She said another myth going around was that people could only use personal data if they had consent. If people do rely on consent, then the bar has got much higher - for example, making it easy to withdraw consent, using clear and plain language, and organisations need to ensure that the consent they already hold matches the higher GDPR requirement. However, consent is only one of a number of ways to demonstrate fair and lawful processing. Others include:
This last option, in particular, is one that can be relied upon and is often an easier option than consent. It will not work in every situation, though, and sometimes consent may still be needed.
Ms Denham added that the final guidance on consent should be expected in December once the Europe-wide consent guidelines are produced; in the meantime, the regulator has already produced draft guidance on consent, which can be referred to for now.
There is no doubt that the changes in data protection laws are greatly important and organisations must start getting ready now. If the theoretical large fines have grabbed the attention and focused the minds, that may be a good thing. Organisations need to comply and protect personal data. Serious breaches could result in significant sanctions. The best way to avoid that from happening is to ensure compliance with the new law - then there is no need to worry.