GDPR Fines – The Truth

GDPR CompliantEvery day, when I look at LinkedIn, I read reams and reams of posts from IT businesses talking about what technology could make you ‘GDPR Compliant’ and avoid multi-million pound fines. Most of these companies don’t speak about the real requirements GDPR puts on businesses, or what the law says, they are just looking for a way to make a quick buck by using scaremongering tactics and merging facts with untruths or inaccuracies.

The fact is that there is no such thing as a ‘GDPR compliance’ stamp. So, when you hear people talking about their solution or platform being GDPR compliant, be wary of what they are offering. There are no sets of measurements within GDPR but guidance and advice.

Let’s look at the GDPR Fines…

Yes, it can be very scary when you look at the maximum fines that the Information Commissioners Office can now issue within GDPR in the event of a data breach; £16 million or 4% of global turnover is not a fine any of us would like to pay but let’s look at the facts:

  • The maximum fines are £16 million or 4% of global turnover, whichever is largest.
  • Under current data protection laws the ICO can fine up to £500,000 but they have never used this maximum fine. Even when TalkTalk had the huge data breach of hundreds of thousands of data records the ICO only fined them £400,000.
  • Of the 17,300 investigations concluded in 2016 by the ICO only 16 of those resulted in fines being issued.

Now, I am not saying that there will not be some large fines handed out to large corporate organisations who have a data breach. In reality, the industry expects an increase in both the number of fines, as well as their value however, even if the number of fines increased ten-fold after GDPR then only 160 companies would be penalised.

Don’t Panic

GDPR Fines aren't scary

I am not advocating that you ignore GDPR or the fines, far from it. Personally, I believe that too many companies are not taking data protection seriously enough, and directly contributing to my personal information, and personal details of other clients, leaking into the hands of unknown people with unknown intentions. All of this needs to stop, but that is a more involved discussion for another time.

Current GDPR knowledge is akin to being a bit under the weather. I have a terrible habit of googling what might be wrong with me, reading some articles that suggest I might have something terrible and life changing. I panic, then I go to my health professional and find out that actually, all is well and I just need to take some medication and rest for a few days.

Businesses need to do the same with GDPR. By all means: google away, have a bit of a panic, and then go to see someone who can actually advise you on what your specific issue is and give you a set of actionable steps to address it. You will find there are lots of simple and inexpensive things that you can do to meet the requirements in the legislation.

Don’t be misled by those in the industry who will try and sell you solutions out of fear alone. Take advice from a professional who has studied and gained accreditation in the field of GDPR

If you would like advice or guidance on the General Data Protection Regulation then visit our GDPR Resources page to learn more.