Light-touch on GDPR penalties sought, then suggested

No small business should be “hauled over the coals” for unintentional mistakes in the early days of the General Data Protection Regulation taking effect, a business body is appealing.

As long as firms are “working hard” to adopt the new regime, any inadvertent slips in trying to reflect GDPR must not be harshly punished, says the British Chambers of Commerce.

Moreover, while consumers deserve assurance from business that any personal data held will not be misused, it is businesses who need a “helping hand” from government in adopting the “complex” changes, said BCC’s director-general Dr Adam Marshall.

Both his appeals seem to have drawn a response he’ll likely welcome. In terms of the helping hand for example, the Information Commissioner has unveiled a GDPR widget to test companies' 'GDPR-readiness.'

Getting to grips with the new rights of individuals, handling subject access requests; consent, data breaches, and designating a data protection officer, are all covered by the online tool.

And on the thorny issue of penalties, the commissioner has clarified. “We’ll have the power to impose fines much bigger than the £500,000 limit the DPA [Data Protection Act] allows us.

“It’s also true that companies are fearful of the maximum £17million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

Commissioner Elizabeth Denham added that her office’s emphasis on “guiding, advising and educating” businesses how to comply with data law will not change under the GDPR. “We have always preferred the carrot to the stick,” she said.

As well as the online widget, the ICO is directing firms to its 12-step programme for GDPR compliance, which is separate to a myth-busting series tackling key issues such as consent.

Denham herself is also blogging, partly to keep “misinformation” about the May 2018 framework --“some of which…seems commercially driven” -- at bay.

“I’m worried that the misinformation is in danger of being considered truth,” she wrote. “[Statements such as] ‘GDPR will stop dentists ringing patients to remind them about appointments’ or ‘cleaners and gardeners will face massive fines that will put them out of business’ or ‘all breaches must be reported under GDPR’… are all wrong.”