GDPR four per cent fine won't be 'loaded shotgun fired off left, right and centre' predicts Hounslow Council information manager

ICO will seek to educate rather than fine, says Matthew Kay

The much-discussed four per cent global turnover fine for non-compliance with GDPR won't be "a loaded shotgun fired off left, right and centre", London Borough of Hounslow information governance manager Matthew Kay has predicted.

Speaking on a discussion panel at Computing's IT Leaders' Forum, GDPR: Are you sure you've thought of everything in Manchester today, Kay called ICO enforcement around the mooted enormous fine the "million dollar question" around GDPR.

"The million dollar question is in how the ICO will enforce it. There's going to need to be consistency across regulators," said Kay.

"There's a lot of talk of board level accountability, but I don't think you're doing to see a shotgun loaded up and fired off left right and centre," he added, saying the ICO is "an educational organisation" that would prefer to assist the enterprise in building GDPR strategy as opposed to simply handing out fines.

When asked how closely IBM is considering GDPR fines, GDPR leader for UK & Ireland Steve Norledge quipped that a projected $3.8bn for his firm "has our attention".

But Norledge recommended that concerned parties look at the ICO's previously published material:

"I think you can get a lot from the ICO in the last few weeks," he said.

"When you read what's been said there, it lays out an intense focus on helping and coaching businesses to make them more ready and capable, both in terms of transparency and protecting data. But it also says if people aren't taking action, then they'll get hit. Businesses should focus on addressing the biggest risk."

Board member at Foresters Friendly Society Erik Vynckier built on this point, advising the audience simply to read GDPR legislation closely and literally.

"If you read the regulation, it mentions the sort of items that go into it - a list of things," he said.

"For example, not being forthcoming after a breach has happened is seen badly, so anything that can be interepreted as trying to get away with something and not collalborating [with legislation] is not helpful, and I think brings you closer to that four per cent.

If you've just been a victim of bad luck and have taken precautions, I think it gets much lower. But the list is explicit in the regulations - every time you do something you shouldn't do, it brings you much closer."