GDPR is Not a Ticking Timebomb for Huge Fines

There is a huge amount of hype, mis-information and fear-based selling circling the subject of GDPR. With vendors, resellers and even so-called experts (who should know better) banding around threats of huge fines for non-compliance.

It reminds me of what happened in the year 2000 with the millennium bug, where we were told that at the stroke of midnight that technology would fail, and planes would fall out of the sky. Similarly, organizations are being told that on the 25th May they will go into compliance meltdown, fines will be issued to everyone, businesses will go bust and CISOs will have to work through the night to ensure they’re ready. It’s all got a bit out of hand to be honest. 

Here’s my opinion – I think it’s fair and reasonable to say that in the past, the Information Commissioner’s Office (ICO) haven’t exercised their powers perhaps as forcefully as they could have (and should have) done, and it’s likely the ICO will be tougher moving forward – and the figures for January seem to back that up.

Having said that, I really don’t expect this to be the apocalyptic event we keep reading about. We’ve seen some evidence already that the ICO are living by their vow to take a tougher stance on enforcement based on the increase in fines issues in Q1 of 2018, but we still don’t know how it’s really going to pan out, and we won’t until post May.

One of the biggest misconceptions that organizations have is that if an incident occurs then you will automatically be faced with a fine. I was reading a blog written by Elizabeth Denham of the ICO recently, and she made the point that fines are a last resort. The point of GDPR is to ensure fair and proportionate (proportionate being the operative word here) action is taken against those that fail to meet the agreed standards. There are warnings, recommendations and finally fines for those worst-case scenarios. 

Only 16 out of the 17,300 cases reported to the ICO in the last year resulted in a fine and not one of the fines met the conditions of the maximum penalties. Even if they are now toughening up, your chances of getting fined are pretty low. 

Are the ICO ready for the extra potential workload from GDPR breaches and violations? I guess we won’t really know until May 2018. 

I have read numerous articles that claim ICO fines would have been 79 times higher under GDPR than the current initiatives. Personally, I think this is simply fear-selling. I can’t think of any way they could have truly calculated this without all the details. 

Without question, there is a level of risk. The size of the potential fines has increased, and enforcement promises to be stricter. Whilst we shouldn’t believe everything we read, we should all be ensuring that we take action to meet GDPR compliance.  

From a data security standpoint, I completely believe that many organizations need to improve the way they handle, track and govern access to their data. Organizations need to be held accountable and need to have duty of care for their consumers. If GDPR is the catalyst for improving the data security culture, then I’m all for it. 

In so many of my engagements, organizations just don’t know what’s happening to their unstructured data or who has access to it. My advice to anyone thinking about GDPR is to take it seriously, but in the immortal words of the Hitch Hikers Guide to the Galaxy, Don’t Panic. Let’s be prepared, but let’s keep some perspective.  It’s a process – not a timebomb.

What’s Hot on Infosecurity Magazine?