What you can’t do if your organisation is found to be non-compliant with the new General Data Protection Regulation (GDPR) which comes into force on 25 May 2018 is either:
- Claim ignorance of the legislation
- Try to assert the June 2016 UK referendum vote to leave the EU renders the GDPR irrelevant
To illustrate why these tactics would fail here are a few pointers:
Firstly, the regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 and in the intervening period there has been a lot of media coverage of the new procedures, processes and compliance requirements. In essence, we will all have had just over a two year notice period of its pending introduction. Therefore, feigning ignorance of the new rules will just not wash. There is also no period of grace beyond 25 May 2018 in which to become compliant.
It is understandable that many people will think that because the UK voted to leave the EU this new legislation will not apply to us. There are two things wrong with this assumption; the regulation applies to any third country that holds personal data on EU citizens. We have some 3 million such persons living here, so the GDPR applies to the UK whether we are members of the EU or not. Third countries include ANY country where EU citizens live and organisations hold personal data on any of them. Right now even U.S. organisations doing business in the EU are trying to come to terms with the implications of the GDPR.
The other point, which puts any doubt over the UK adopting and policing the GDPR beyond even the long grass was an early confirmation by the UK government that it would be implemented here exactly as it was intended by the EU. The GDPR will be included in the EU Withdrawal Bill (formerly the Great Repeal Bill) that will see all EU laws transferred to UK jurisdiction. The GDPR will most likely appear as the new UK Data Protection Bill as announced by our government in August 2017.
That leads us quite neatly on to the potential penalties for non-compliance with the GDPR and here it is perhaps useful to compare current fines and how they would ‘translate’ in the new, post-May 2018 world of GDPR.
In 2016 fines from the Information Commissioner’s Office (ICO) against UK companies would have been £69m under GDPR rather than the actual fines handed out of just £880,500. This according to analysis by risk mitigation specialists NCC Group.
As things stand, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into force on 25 May, 2018, there will be a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).
NCC’s security consultants looked at all ICO fines from 2015 and 2016. Using the current maximum penalty as a guide, it created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.
Fines given to small and medium-sized enterprises could have been catastrophic under the GDPR guidelines. For example, Pharmacy2U, who sold on details of more than 20,000 of its customers in 2015 without their consent received a fine of £130,000. Under GDPR this would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.
So, as the saying goes, ‘You can run, but you can’t hide’.
Guest Blog by Ian Bevington, Marketing Manager at Oak Innovation – part of a series on GDPR, available at the Oak Innovation News Centre.
