Elizabeth Denham, the UK’s information commissioner, has warned that many organisations will not be fully compliant when GDPR comes into effect in May.
But in a speech to public sector leaders she vowed that her office would treat firms fairly if they fall victim to a data breach and take measures to resolve it.
Speaking on Friday, Denham said she was aware that GDPR preparations will be “ongoing” after 25 May, when the EU-wide data protection regulations are implemented.
“I know that when 25 May dawns, there will be many organisations that are less than 100 per cent compliant. […] But if you self-report a breach, engage with us to resolve issues, can demonstrate effective accountability arrangements, you will find us to be fair,” she said. “Enforcement will be proportionate and, as it is now, a last resort.”
Denham added that organisations should be more concerned about the cyber threat posed by hackers in their bedrooms than those working on behalf of nation states.
“We make a mistake if we throw up our hands and worry about state sponsored attacks – we know those are rare,” she said. “You should be worrying about the malicious kid in his bedroom who hacks into your system because he can. Or the opportunistic thief who understands the value of the data you hold and knows how to get his hands on it. Because you left the door wide open.”
In a blog published last summer, Denham sought to dispel the notion that maximum fines will become the norm. Under GDPR, data protection regulators will have the power to fine companies up to 4 per cent of their annual global turnover. But Denham wrote:
“Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned. And we have yet to invoke our maximum powers.”