The Information Commissioner’s Office will take a proportionate approach to charities that are struggling to implement the General Data Protection Regulation when it comes into force, trustees have been told.
The GDPR, which comes into force on 25 May next year, will impose much stricter controls on how organisations handle people’s data and enable the ICO to issue fines of up to 4 per cent of global turnover or £18m, whichever is larger, for data breaches.
Speaking at the National Council for Voluntary Organisations' trustee conference in London today, Simon Entwisle, member of the ICO management board responsible for operations, said the ICO would not look to increase fines for minor offences just because his organisation was able to do so.
He told the conference: "It is scaremongering to suggest that we will be making examples of organisations for minor infringements, or the maximum fine will become the norm.
"If a deterrent of a much smaller amount has been sufficient in the past for a particular type of breach, we won’t be adding a few noughts to it just because the legislation allows us to."
He said that guidance on the ICO’s approach to fines would be released before the GDPR came into force.
Entwisle played down concerns about the ICO’s approach to data protection once GDPR was enacted and said that the regulator was not looking to punish organisations unduly.
"If you can demonstrate that you have the appropriate systems in place, then you will find the ICO to be proactive and pragmatic, aware of the pressures you are facing in these challenging times," he said.
"The ICO’s approach has never been about punishing organisations, and we don’t intend to change this approach now. We will continue to take a risk-based and outcome-focused approach to regulation, but in exchange we do expect organisations to work with us to get this right."
A number of helplines, including one for small businesses and charities and another for advice on when to report breaches, were already in place, Entwisle said, and in most cases minor breaches would not need any further action from the ICO.
Entwisle said the ICO would not be "banging on people’s doors to issue huge fines" on day one of the GDPR.
"With any law like this there has to be a proportionate approach to regulation," he said. "We will adopt that type of approach and we will listen to what you have to say. And what we will be looking for is for you to be actively demonstrating you are working towards solutions.
"If there is a lack of clarity, we will demonstrate our understanding of that. That is incumbent on us as a regulator.
"We are reasonable, and it would be entirely disproportionate to just fine organisations that are working extremely hard towards the appropriate measures."
But he warned trustees to ensure they considered how the privacy of individuals could be affected by their charity’s decisions on data protection.
"This accountability cannot be bolted on," he said. "It needs to be part of your organisation’s overall systems approach to how it manages and processes data, and it needs to form part of your governance arrangements."