Reports on GDPR have featured so much misinformation that Information Commissioner Elizabeth Denham has had to dedicate much of her time separating myths from facts.
She elaborated on the truth behind the biggest GDPR myths at the IAPP Europe Data Protection Intensive conference in London.
Myth 1: Massive fines will be routine
Headlines on GDPR have been dominated by the maximum fines for non-compliance of four percent of annual turnover or €20 million, but they won’t be the default punishment for every breach of the regulation.
The ICO wants to encourage voluntary compliance ahead of issuing draconian penalties.
"When we do need to apply a sanction, fines will not always be the most appropriate or effective choice," said Denham.
"Compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders are often more appropriate tools.
"None of these will require an organisation to write a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies' bottom line."
She added that to reduce the risk they should engage with the ICO, show them effective accountability, and report breaches to them when necessary.
The ICO has historically taken a fair and pragmatic approach to enforcing data protection. It's yet to invoke its maximum powers, and last year issued fines in only 16 of the 17,300 cases it concluded. Nonetheless, Denham warned that the ICO would take tough action if required.
"Hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law," she said.
Myth 2: You need to report every breach to the ICO
The eye-popping potential fines have led many people to worry about how they will report every breach of GDPR. In many cases, they won’t need to inform the ICO.
The danger that a breach poses to the people it involves will determine whether it needs to be reported.
Reporting a breach is only mandatory if it's likely to pose a risk to a person's rights and freedoms. If the risk is high, the organisation responsible for the breach will also need to inform the people that it involves.
The ICO has improved the reporting process for any breaches of the GDPR that requires their notification.
The new service can handle 30,000 reports a year. To help organisations understand whether they need to notify the ICO of a breach, a telephone-based reporting service has been created to provide a fast and direct entry point.
"Call our breach reporting line and you’ll get a human response; our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days," said Denham.
"We've built a dedicated team to deal with data breach reporting and we’ll be extending the hours of the office to manage reporting under the GDPR and NIS Directive."
Visit the Information Commissioner's Office blog for clarification on other GDPR misconceptions.