"The GDPR is not Y2K,” explains Louise Byers, head of risk and governance at the Information Commissioners Office.
With the General Data Protection Regulation (GDPR) coming into force at the end of the week, there is a growing concern from some organisations that they won’t be compliant in time and could be in danger of significant fines.
New research by Apricorn has revealed that less than a third (29%) of surveyed organisations feel confident they will comply with GDPR come the May 25 deadline.
However, speaking at the IRMS Annual Conference 2018 this week, Louise Byers, head of risk and governance at the Information Commissioners Office (ICO), has moved to qualm fears from those that will not be compliant, emphasising that “Friday is a beginning and not the end. The GDPR is not Y2K”.
The GDPR and new Data Protection Bill will give the ICO new powers, enabling it to move at pace and secure information and evidence, which it sees as key requirements in the digital age. Louise Byers commented on the ICO’s updated regulatory action policy that it recently published for consultation. “Our new powers will include no notice inspections, compelling people and organisations to hand over information and making it a criminal offence to destroy, falsify or conceal evidence.”
However, Byers stressed that this wouldn’t mean that GDPR isn’t about just handing out heavy fines: “It is about the public and it all comes down to building trust and confidence that people have in the organisations handling their data.”
Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law.
Byers added: “Our policy makes it clear that we won’t be changing our approach to fines in four days’ time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law.”
Byers added: “If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.”
Byers’ comments echo those of the Information Commissioner Elizabeth Denham. In a statement last year, she emphasised that "issuing fines has always been, and will continue to be, a last resort... it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."
If you’re concerned that your organisation won’t be compliant by May 25, read our interview with a panel of experts who share advice on what you should be focusing on as a priority.
Neil Davey is the managing editor of MyCustomer. An experienced business journalist and editor, Neil has worked on a variety of newspapers, magazines and websites over the past 15 years, including Internet Works, CXO magazine and Business Management. He joined Sift Media in 2007.