ICO: 'There's so much misinformation out there' on GDPR

Elizabeth Denham keen to 'bust myths' about the regulator's approach to compliance

The headline-grabbing fines made available to the Information Commissioner's Office (ICO) and other European Data Protection Agencies (DPAs) under GDPR have been something of a double-edged sword.

On the one hand, it has certainly "got the attention of the C-Suite," Elizabeth Denham, the UK information commissioner, said. On the other hand, though, it has given rise to a cottage industry of FUD [fear, uncertainty and doubt] purveyors, vested interests and mischief makers.

At an awards event organised by consultancy DataIQ on Wednesday, she seemed determined to set matters straight.

"There's so much misinformation out there. I want to be clear that this law is not about fines. It's about putting the consumer and citizen first," she said. "It's about doing good things by data subjects because innovation is not sustainable without public trust."

The ICO blog is one medium that she and her colleagues have been deploying to "bust myths", the biggest one being around fines.

"The fine is really a last resort," she told Computing. "Even to get to the fine we have to go through a lengthy investigation that might take several months, then we have to take it though the courts. So fines are not our go-to tool."

The regulator has other "sticks in the cupboard" she went on, including the power to stop a transgressor from processing personal data while investigations and audits are carried out. The resulting reputational damage to a large scale data processor could be just as punitive.

"Fines are reserved for systemic problems involving sensitive data," added Steven Wood, deputy commissioner for policy.

The ICO has neither the resources nor the inclination to be waving around too many sticks. In addition, some aspects of GDPR remain to be clarified and the accompanying ePrivacy legislation is still working its way through the European courts. The regulator prefers to offer the carrots of guidance and assistance instead.

So while the maximimum fines (€20m or 4 per cent of global turnover) have grabbed the attention of the board, the ICO will not be seeking to make examples of a few hapless companies just to get its point across. The 25 May introduction of the legislation is not a hard cut off point like Y2K but more a checkpoint on the road to compliance.

However, this does not amount to a grace period. The rules will be in place and organisations that fail to demonstrate progress and instead "seek to carry on doing business as usual", will risk censure by the ICO, Wood said.

The regulator will need to be willing to display its teeth if the Regulation is to be enforced, but for the past two years the emphasis has been very much on "education, education, education", Denham said. That being so is she disappointed by surveys a recent one that found that half of UK small businesses are not aware of GDPR?

"Oh the data businesses are certainly aware of it," she said. "But the corner shop or the garage that changes tyres, they may not have heard of it. But there are lots of laws that they won't have heard of."

She pointed to the resources available for small businesses on the ICO's website and the advice line for smaller businesses.

A new phase in the education process will begin next month with a campaign to inform consumers about their data rights under the new legislation, the aim being to close the circle and foster a culture of 'trust and confidence' in which compliance makes good business sense, rather than being in response to possible fines.

The ICO will also be publishing a list in March of "exemplar companies" with which it will be working to demonstrate the practicalities of compliance with data protection law.