ICO will take proportionate approach to GDPR fines

The ICO is not planning to issue fines in every circumstance when it detects a breach of the GDPR (or implementing legislation), ICO’s Steve Eckersley said at the CDPD conference in Brussels. Eckersley stated that the ICO will also have other options in its toolbox: the opportunity to issue warnings or demand an audit. He thought that in many cases the reputational damage will have a greater impact than any fine.

“Don’t expect a large fine on 26th May. For the first thing, some investigations take 8-12 months to complete.” Eckersley said that the ICO is now recruiting an additional 100-150 people to work on GDPR aspects and cyber security. He predicted that the ICO will receive 30,000 breach notifications a year, and reminded that the so called Police Directive, which the ICO will also supervise, will enter into force on 10th May.

Paul Nemitz from the European Commission stressed that fines are applicable for most breaches, and the DPAs across the EU should be prepared to issue them. “It may be hard to change the culture but DPAs will just have to do that. If not, they will find themselves before the courts.”