ICO publishes its draft “Data Protection Fining Guidance” for public consultation

The question

How will the Information Commissioner’s Office (ICO) calculate the amount of a fine under the UK GPDR and the Data Protection Act (DPA) 2018?

The key takeaway

The ICO has published its draft “Data Protection Fining Guidance” (the Guidance) for public consultation (see here). The Guidance addresses: (i) the ICO’s power to impose fines, (ii) how a fine may arise, and (iii) how the ICO calculates the amount of a fine under UK GDPR and the DPA 2018. Importantly, the Guidance clarifies that, where the ICO finds that the “same or linked processing operations” infringe more than one provision of UK GDPR, the overall fine imposed will not exceed the maximum amount applicable to the most serious of the individual infringements.

The background

On 2 October 2023, the ICO published the Guidance for public consultation. In the Guidance, the ICO explains that it may only exercise its power to impose fines under Article 58(2)(i) and Article 83 UK GDPR by giving a penalty notice to a controller or processor in accordance with section 155 of the DPA 2018. Further, the Guidance states that it updates and replaces the sections of the Regulatory Action Policy which were published on 7 November 2018, and which currently set out how the ICO determines: (i) when to issue a penalty notice, and (ii) the amount of a fine under UK GDPR and the DPA 2018. The consultation closed on 27 November 2023.

The development

The key sections of the Guidance set out: (i) the infringements of the UK GDPR and the DPA 2018 for which the ICO may impose a fine, (ii) the factors which the ICO may have regard to when deciding to issue a penalty notice, and (ii) how the ICO determines the amount of a fine.

The infringements for which the ICO may impose a fine

Here, the Guidance provides that the ICO may choose to impose a fine where a controller or processor has not complied with the provisions of UK GDPR or the DPA 2018 in relation to:

• the principles of processing
• the rights conferred on data subjects
• the obligations placed on controllers and processors, or
• the principles for transfers of personal data outside the UK.

 Further, the ICO may impose fines where a controller has failed, or is failing, to comply with a requirement to pay a data protection fee, or other charges, to the ICO. The Guidance also explains that the ICO may choose to impose a fine on a person for a failure to comply with their requirements under the DPA 2018 including a failure to:

• provide information which the ICO reasonably requires to assess compliance with the UK GDPR or the DPA 2018
• permit the ICO to inspect or examine documents, information, equipment, or material for the purposes of assessing compliance with the UK GDPR or DPA 2018, or
• comply with a requirement set out in a previously issued ICO penalty notice.

The factors which the ICO will consider when deciding to issue a penalty notice

In determining whether to issue a penalty notice, the Guidance states that the ICO must have regard to Article 83(1) and Article 83(2) UK GDPR, or section 155(3) DPA 2018. The factors which the ICO will have regard to include:

• the nature, gravity and duration of the infringement(s), the purpose of the processing, the number of data subjects affected by the infringement(s), and the level of damage suffered
• whether any infringement(s) were intentional or negligent
• any action taken to mitigate the damage suffered by data subjects
• the degree of responsibility of the controller or processor (given the technical and organisational measures which they have implemented)
• any relevant previous infringement(s) by the controller or processor
• the degree to which the controller or processor cooperated with the ICO to remedy the infringement(s) and mitigate adverse effects
• the categories of personal data affected by the infringement(s)
• the manner in which the infringement(s) became known to the ICO
• any other applicable aggravating or mitigating factors.

Determining the amount of a fine

The Guidance states that, to calculate the amount of a fine, the ICO will consider:

• the seriousness of the infringement(s)
• the worldwide annual turnover of the controller or processor (where the controller or processor is part of an “undertaking”)
• where the starting point for the fine should be (in consideration of the above points)
• adjusting the fine in consideration of any aggravating or mitigating factors
• whether imposing the fine would be effective, proportionate, and dissuasive.

Further, the Guidance states that the maximum fine which the ICO can issue will also depend on whether the controller or processor forms part of an “undertaking” (eg the controller is a subsidiary of a parent company). This affects the maximum fine which the ICO can impose as follows:

Why is this important?

Once finalised, the Guidance will provide controllers and processors with a means of estimating the fines that they may face where something goes wrong. Further, the Guidance sets out the key points which the ICO will have regard to when evaluating new and existing infringements for which a notice of intent to impose a fine has not yet been issued.

Any practical tips

As the Guidance provides controllers and processors with a means of assessing what factors the ICO will consider when determining whether to impose a fine, organisations should stress-test their playbooks, processes and training against it to ensure that they continue to do everything possible to prevent, or at least mitigate, the level of fines they could be exposed to where something goes wrong.

Winter 2023