Large fines will not become the norm under GDPR, says watchdog


The maximum fine of E20 million (US$23 million) or 4% of annual global revenues is significantly higher than the existing £500,000 imposed for breaches of the current Data Protection Act.

Large fines for breaches of the forthcoming General Data Protection Regulation (GDPR) will only be reserved for only the most serious incidents, the UK’s Information Commissioner has said.

The maximum fine of E20 million (US$23 million) or 4% of annual global revenues is a significant jump from the existing £500,000 imposed for breaches of the current Data Protection Act. But Information Commissioner Elizabeth Denham indicated in a blog that equating the new legislation with “crippling financial punishment misses the point”.

Although she acknowledged that her Office would have the power to levy much bigger fines than was currently the case, it was simply “scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that the maximum fine will become the norm”.

Denham pointed out that issuing fines had always been considered a last resort and, of the 17,300 cases concluded last year, a mere 16 had resulted in financial penalties.

The GDPR is due to come into force on 25 May 2018 and, while the law originates in the European Union, the Department for Digital, Culture, Media and Sport has announced plans to introduce it into the UK via a new Data Protection Bill. The proposed Bill will, among other things, create a right to be forgotten, make it easier to withdraw consent for personal information to be used by third parties and enable individuals to ask organisations to erase whatever data they hold on them.

Research suggests that people are already considering how to use the rights afforded to them by the new legislation. A survey conducted by data analytics firm SAS revealed that 22% are contemplating whether to use the GDPR to find out what personal data their employer is keeping about them. A further 21% intend to ask their current or former employer to delete such information.