- May 1, 2018
"GDPR - Why you will not be fined" by Dai Davis
Cybergig was in attendance at the Manchester IP XPO last week and we saw some very interesting keynote speeches.
One that caught my attention was "GDPR - Why you will not be fined" by Dai Davis who is a specialist in Information Technology Law
In summary, he went on to explain that the chances of any organisation being fined by the ICO were 400 to 1. And that it will be the Medium sized organisations who will bear the brunt of any fines.
Dai explained that recently the ICO had lost most of its staff to consultancy or legal companies and that internally they were struggling to upskill their own staff and make sense of GDPR.
Furthermore, he mentioned that a large non-disclosed ( he did name the company but I shall refrain) organisation was taken to court by the ICO, but the organisation had the means to fight back which resulted in a £7m+ payout by the ICO to the company which equated to twice the annual budget of the ICO at the time, therefore the ICO is wary to take on large organisations.
Additionally, it should be noted that the 4% financial penalty of turnover is only one part of a tiered penalty system. An organisation with less than £500,000 turnover very unlikely to receive a fine because it is impossible for companies of this size to meet GDPR in full.
Indeed, as an Infomation Security Lawer, he felt it was impossible for the ICO or any other organisation to be fully compliant with GDPR.
It was noted that the UK has over 3 million companies and it is known that in this year's Cyber Breach Survey 2018, 43% of companies were breached in 2018. So can the ICO handle the best part of 1.4 million companies reporting breaches and then investigating that - no.
It is also understood that the Government have asked the ICO to ensure that Data Portability is something that they target. An example used was that of smart meter data. Companies who know your routines and patterns can gain an unfair advantage in creating specialist tariffs for you, therefore it is important that the data held on you can be sent to everyone when you are comparing quotes.
Finally, it was concluded that the average fine for a medium-sized company would be circa £30,000 and therefore he advised that companies spend no more than £50,000 implementing GDPR. He stated that in his own experience reputational damage from GDPR will be minimal, and sited that every bank in the UK has already been breached this year and that it is accepted by consumers to some extent.