“Don’t expect a large fine on 26th May"
Lawrie Abercrombie FCIIS
Arcanum Cyber - Helping Businesses Operate Securely in Cyber Space - Principal Cyber Security Consultant
As 25 May draws closer, GDPR is becoming increasingly visible, particularly here on Linkedin. A refresh of my home page and CTL-F found 19 mentions just now. Lots of them are scare stories about massive fines or adverts for a one-product panacea for GDPR compliance. Interesting then to hear some insights from arguably one of the very few real GDPR experts in the UK.
Steve Eckersley, Head of Enforcement at the Information Commissioner's Office, is the man who will have a bigger say on how GDPR affects the UK than anyone except the Information Commissioner herself. At the Computers, Privacy and Data Protection (CPDP) Conference in Brussels on Thursday 25 January, where he was one of the speakers on a panel titled "Is Everything Fine With Administrative Fines?" he said “Don’t expect a large fine on 26th May. For the first thing, some investigations take 8-12 months to complete.”
But even this time-frame sounds difficult to achieve post GDPR given that he also said the ICO is expecting 30,000 breach notifications a year and consequently they are recruiting between 100-150 new staff to work on GDPR and Cyber Security in general. I'm intrigued about where is the ICO going to find 150 competent people including Lawyers and Cyber / GDPR specialists given that most cyber vacancies take over 7 months to fill and the Civil Service is not renowned for paying particularly well. For example, of the five jobs currently being advertised on the ICO website, a London based Lead Auditor post has a salary of £24,769, similar posts in the private sector are offering salaries of £42,000 - £55,000.
A report last year in SC M agazine mentioned that the current staff of 500 are already said to be "buckling under the pressure" of delivering data protection governance in the UK. Integrating 150 new staff and dealing with 30,000 breach notifications, i.e. one every 3 minutes 8 seconds of a Civil Service working year (minimum 5 weeks leave, 11 Public Holidays, 35 hour week), is probably going to add to that pressure, at least slightly.
Make no mistake, there will be fines for contravention of GDPR and some of them will be big. But then there are already fines for contravention of the current Data Protection Act and some have been fairly big. 26 of the 61 monetary penalties issued by the ICO last year were for contraventions of data protection law, the average fine being £69,381, the largest £400,000. Not the maximum 20 million Euros threatened by GDPR but still enough to seriously damage all but the largest business. The other 35 fines were for spam emails and texts. Interestingly, the biggest single sector fined for failing to follow data protection rules were 11 Charities although their fines only averaged £12,545.
The so what in all of this is that GDPR isn't going to change the world on 25 May. But getting caught flouting data protection law is going to hurt and one thing GDPR does mean is that, whoever you are, getting caught is now more likely, it just might take some time.
Learn more about how to protect your business against cyber security threats from both inside and outside your organisation by downloading other blogs and White Papers from our website.
Lawrie Abercrombie M.Inst.IISP is Technical Director at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry. One of few Lead Security & Information Risk Advisors certified by the UK's National Cyber Security Centre, Lawrie originally learnt his trade commanding the British Army’s first Cyber Security team. Now working in both the Public and Private sectors, he specialises in risk management for IT and OT projects.
CEO - Building a European Data Aggregation and Dissemination Business for Asset Managers and their Distribution Channels, using Blockchain Technology. Built by the Industry - for the Industry
7 年The self funding organisations like the FCA need to make money somewhere, so an example will be made is my bet
Mostly retired
7 年A more realistic title may well be 'GDPR WILL LEAD TO HUGE FINES - EVENTUALLY'. While the ICO is clearly going to be working at full capacity (even if they are successful in recruiting people to work in Cheshire for a relatively modest salary), with data breaches such as Leicester City Council allegedly sending an unencrypted file with the details of all the people in its care (including children) to 27 taxi firms in the area - the very real prospect of some 'HUGE' fines is on the horizon... its just its going to take a little while for them to become reality. Someone asked me the other day to give them an overview of GDPR which went along the lines of - its coming - get your compliance in order - try not to panic - but if it all goes wrong - give the ICO a blank cheque and they will fill the numbers in for you!
Arcanum Cyber - Helping Businesses Operate Securely in Cyber Space - Principal Cyber Security Consultant
7 年Thanks Eddie.
SCCP?Operating Securely in Cyber Space ? Cybertec Group Director? Managing Cyber Risk
7 年Very interesting read Lawrie
Helping you streamline your business with ISO 9001, ISO 14001, ISO 45001, QHSE software and consultancy
7 年Interesting article, however, as for policing the GDPR a lot of my clients are worried about those PPI lawyers looking to make a killing once PPI comes to and end. There is a route for compensation for the data subject as well as the fines. Where there is money to be made there will always be someone there to make a profit out of it.