It can be unwise to make too much of reported and/or throwaway remarks, but I’m going to look at a recent reported, and possibly throwaway, remark by a senior manager from the Information Commissioner’s Office (ICO) at a recent Law Society conference on the General Data Protection Regulation (GDPR).
Giving “A perspective from the ICO” Richard Nevinson, Group Manager for Policy and Engagement, was reported by the Law Society Gazette to have said, on the subject of potential administrative fines under GDPR
If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR
This perhaps doesn’t at first blush sound that notable: the Commissioner herself – Elizabeth Denham – has been at pains, over the months leading up to GDPR coming into direct effect, to stress that, although the maximum fine will increase from £500,000 to €20m or 4% of annual global turnover (whichever is larger), such fines are not her focus:
Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense
(despite this, somecommentators have continued to employ such “nonsense”).
What Nevinson said though, goes further than anything I’ve seen so far from the ICO. Because, if what he is reported to have said is correct, it would mean that we should see no change in frequency or amount of fines, unless there is a contravention on an unprecedented scale. The highest fine levied under the existing Data Protection Act 1998 (DPA) has been £400,000 (twice – once to Talk Talk and once to Carphone Warehouse) – only 80% of the current maximum. This means that the ICO cannot feel that the current maximum sets a cap which frustrates them by preventing them from issuing higher fines. One would assume, therefore, that the ICO would (must?) see GDPR’s legislative intent as being to “scale up” fines in some way. But no – says Nevinson – £X under DPA will equate to £X under GDPR.
Following that line of argument, as we have never seen a fine of £500,000 under DPA we will not see one of that size (or higher) under GDPR, unless a contravention emerges that is worse than anything seen before.
I may be wildly over-analysing what he was reported to have said, but I thought it noteworthy enough to blog about it at 06:00 in the morning, so I thought you might too.
Oh, and Nevinson might not be right or might not have been accurately reported, and I definitely might not be right. So you’d be silly to pay too much attention, and you certainly shouldn’t forget about the risks that fines may represent under GDPR.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.