A way out of the Brexit morass?
09 May 2019 – 14:15 | No Comment

Brexit-bound Britain will participate in this month’s European Parliament (EP) election, unless UK prime minister, Theresa May, and opposition leader, Jeremy Corbyn, manage to push the thrice-rejected EU withdrawal agreement through the House of Commons …

Read the full story »

Energy & Environment

Circular Economy

Climate Change


Home » Data security

‘GDPR is not about fines. It’s about putting the consumer and citizen first’

Submitted by on 14 May 2018 – 16:13

Europe’s new data protection law that is coming into effect on May 25, is not about fines. It’s about putting the consumer and citizen first. Elizabeth Denham, UK’s Information Commissioner, reaffirms that GDPR (General Data Protection Regulation) is an evolutionary process that  seeks to put power back in the hands of individuals

“You’re in control,” “We’ve updated our privacy policy,” “Do you still want to hear from us?”, “Will you allow us to continue sending you emails?”

In the past few weeks, each of us have been receiving tens of hundreds of emails seeking urgent consent to continue receiving newsletters, emails or services from some several companies, some of which you might not remember using in recent years.

Prompting this sudden deluge of emails is GDPR, Europe’s new data protection law that is coming into effect on May 25. The stringent new law aims to change how companies handle personal data.

As technology is moving fast, almost everything we do – keeping in touch with friends through social media, online shopping, exercising, and driving – leaves a digital trail. The average adult today has at least around 100 data relationships to manage – including everything from personal health services and gym membership to retail loyalty schemes and insurance policies. So the way our personal data is handled has never been more important.

Data protection and privacy has become a hot topic in part due to the political theatre of Mark Zuckerberg’s congressional interrogations and the recent shutting down of Cambridge Analytica, the political consultancy firm at the centre of Facebook’s privacy row.

GDPR, which stands for General Data Protection Regulation, will now “give people new rights and choices about how their data is used, shared, and stored.” Designed to represent a data protection system fit for the modern digital age, the new law will force organisations to review their systems and the way people work.

Simply put, the draconian law seeks to put power back in the hands of individuals by forcing those who process our data to be more transparent about their processing modalities.

What happens if your business breaks GDPR rules?

The GDPR grants regulators the power to fine businesses that do not comply with it.

In the UK, the Information Commissioner’s Office (ICO) would be able to levy fines of up to £8.8m (€10m) or two per cent of a firm’s global turnover (whichever is greater).

Those guilty of serious breaches could face larger fines of up to £17m (€20m) or four per cent of global turnover.

After an initial wait-and-see-approach, several companies have started to set up sizable compliance programmes fearing the severe reputational damage and financial penalties.

Despite considerable efforts, several small organisations are struggling to comply.

A recent IDC survey indicates that only 29 percent of European small businesses and 41 percent of midsize businesses have taken steps to prepare for GDPR. As the GDPR is based on principles rather than rules, the onus is on individual companies to determine implementation in their particular context.

What are the immediate ramifications for non-compliant organisations?

While the fear of fines abound, the offices of Elizabeth Denham, UK’s Information Commissioner and one of the most powerful women in the country, who is responsible for the smooth implementation of the GDPR, have confirmed “the law is not about fines. It’s about putting the consumer and citizen first.” “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR.”

Reaffirming that GDPR is an evolutionary process, Elizabeth noted that “there isn’t a deadline in the sense that if you’re not compliant by 25 May you’ve missed your chance.”

“Organisations need to continue to identify and address emerging security risks in the weeks, months, and years beyond May 2018. The 25 May is however, the date the legislation takes effect. There’s been two years to prepare and the ICO will be regulating from this date.”

“We are a fair and proportionate regulator and those who self-report, who engage with the ICO to report issues, and who can demonstrate effective accountability arrangements can expect this to be taken into account.”

At the forefront of Facebook scandal

In April this year, ICO had revealed that it is investigating 30 organisations, including Facebook, into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors.

The ICO has confirmed that the investigation into data analytics, the Cambridge Analytica and the firm’s harvesting of data “will continue” despite the political analysis company declaring bankruptcy. The Information Commissioner also said she had “the power to fine directors and get them banned from running other companies.”

Pleased with the recent privacy changes made by Facebook, the Information Commissioner noted that it is “too early to say whether they are sufficient under the law.”

Besides her investigation, which could result in enforcement action, the Information Commissioner will also be making clear public policy recommendations to help us understand how our personal data is used online and what we can do to control how it’s used.

Does the ICO have the necessary resources and infrastructures to investigate massive data breaches?

In February, the HM Treasury has given the Information Commissioner the ability to attract and retain the expert staff to meet the challenges and opportunities that lies ahead.

An official spokesperson confirmed that ICO welcomed just over 70 staff from a range of diverse backgrounds and experience to work at the ICO in the past 12 months and we have plans for at least another 150 in the next two years. As well as roles in our head office in Wilmslow, Cheshire, there will be opportunities in London, Belfast, Edinburgh and Cardiff.

In an annual CRISP lecture on 15 March, Elizabeth Denham noted that ICO has a budget of £24 million pounds. Following the introduction of the new funding model this will be £34m in 2018/19.

The ICO’s staffing numbers continue to increase, passing 600 by 2019 increasing to an approximate FTE of 650 during 19/20.

Today, the ICO has around 200 case-workers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and engaging with the stakeholders and organisations that need to implement them.