The Information Commissioner’s Office has said that it will be "proportionate" in its approach to fining charities that break rules when new rules come into force next year.
Speaking yesterday at NCVO and BWB’s trustee conference, Simon Entwistle, deputy commissioner at the ICO, said: “What I can say is that on day one of GDPR coming into force we are not going to be banging on people’s doors to issue huge fines. With any law like this there needs to be a proportionate approach to regulation, we will adopt that type of approach.
“We will listen to what you have got to say, and what we will be looking for is you to actively be demonstrating that you are working towards some of the issues. If there is a lack of clarity we will demonstrate our understanding of that.”
He added that the regulator does expect charities to work with them and demonstrate the work they have done to work towards the new regulations.
“We do expect you to be able to demonstrate and work with us, but we are reasonable and it would be entirely disproportionate to just fine organisations who are working extremely hard towards the appropriate measures on the 1st June next year,” he said.
He said he wanted to tackle the myth that the ICO would be looking to “maximise its new fining powers”, although said it is true that it will have the power to issue larger fines of up to £17m. But he said it would be “scaremongering to suggest that we will be making early examples of organisations for minor infringements, or that the maximum fine will become the norm”.
He said if a smaller amount has worked as a deterrent for a particular type of breach before, the ICO “won’t be adding a few noughts to it in the future, just because the legislation allows it”.
Questioned by a delegate on the absence of the final guidance from the ICO on the new rules, Entwistle said that the ICO is “in the process at the moment of recruiting a significant number of secondees from legal firms to come and help speed up the guidance”.
Enwistle also clarified to trustees that it is right that they should report all significant breaches to them within 72 hours. But he said not all breaches are counted as significant and therefore would not need to be reported. He advised charities to ring the ICO's helplines for clarification on whether something would be a significant breach if trustees were unsure.
The ICO has two helplines that charities can use: its main helpline, and one that was set up recently to deal with small charities and businesses.
He told delegates at the trustee conference that there will be a pay off from the new regulations, because it would improve the relationship with the public and more trust in the way organisations handle data.