The UK’s information commissioner’s office (ICO) says it will favour “the carrot to the stick” approach when it comes to GDPR compliance.
In a blog, written to “separate the facts from the fiction”, information commissioner Elizabeth Denham – who’ll be the UK regulator of the new data protection law when it comes into force on 25 May 2018 – said: “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
The GDPR significantly increases the maximum fine for breaches of the law, from £500,000 to up to €20 million or 4% of annual worldwide turnover. Marketers struggling to become compliant will find Denham’s statement of intent of some relief.
“While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective,” she added. “The GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”
No final consent guidance until December
Less welcome will be the news that the ICO’s final guidance on consent – a key area of the GDPR to affect marketers – is scheduled for December. In addition, formal advice on “legitimate interests” – an alternative way of processing data to consent – is not anticipated to be published until next year, announced Denham in a separate blog post.