Information Commissioner sets out expectations for GDPR enforcement post 25 May 2018

At the recent Information Commissioner’s Office (ICO) annual conference, the Information Commissioner (IC), Elizabeth Denham gave an indication of what to expect when the General Data Protection Regulation comes into force on 25 May 2018. 

'Expecting more of everything'

The IC announced that the ICO’s budget for 2018/19 would be increased from £24 million to £34 million. Unsurprisingly, amongst other things, the budget increase will be put towards increasing headcount from 300 to 450 in the next two years, increasing the team of case officers, enforcement officers and advisers by a third.

This isn’t surprising as the public awareness campaign recently kicked off by the ICO and the enhanced rights of data subjects under the GDPR will undoubtedly lead to an increase in complaints. In addition, the ICO will be expecting more data breach reports from organisations as a result of the new requirement to report data breaches in high risk cases within 72 hours.

It should be some comfort to those organisations who are grappling with their own GDPR compliance programme that the IC acknowledged the task at hand and admitted it was a work in progress not only for them but for the ICO too.

'Proportionate and Pragmatic approach to enforcement'

Unsurprisingly, she addressed the concerns raised about enforcement and the ICO’s powers to impose fines of up to €20 million or four per cent of annual turnover, whichever was the greater. She reassured organisations that the ICO will continue to take a proportionate and pragmatic approach when considering breaches of data protection rights and that enforcement would be a last resort.

However, she gave a stern warning though that those organisations that persistently, deliberately or negligently flout the law will be subjected to hefty fines. She also confirmed that fines won’t necessarily be the appropriate course of action. Other sanctions at their disposal will include data protection audits, warnings, reprimands, and enforcement notices. Even more damaging than a fine though will be the ICO’s power to stop an organisation from processing data, impacting its reputation and its profit.

Reassuringly though, she confirmed that a factor in any action taken will be the extent to which the organisation engages with the ICO to resolve issues and can demonstrate the accountability arrangements they have put in place.

'Earning the trust and confidence of customers, clients and the public'

The ICOs role is to ensure that organisations are fair, transparent and accountable when processing personal data. The IC’s message is that organisations who take their data protection practices seriously and apply those principles at all times when handling personal data will not only avoid tough sanctions but will also earn the trust and confidence of their customers, clients and members of the public.

If you have any queries regarding GDPR or require some support with your GDPR compliance programme, please contact Charlie Barnes or your usual RSM contact.