The Information Commissioner’s Office (ICO) has recently launched a consultation on proposed Data Protection Fining Guidance (the Guidance). The draft Guidance sets out the circumstances in which the Commissioner would consider it appropriate to exercise administrative discretion to issue a penalty notice and explains how the Commissioner determines the amount of any fine imposed.

The scope of the draft Guidance includes notices and fines under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), but excludes those under the Privacy and Electronic Communications Regulations 2003.  

The Guidance, once adopted, is not intended to change the ICO’s approach to public sector enforcement but does replace parts of the ICO’s Regulatory Action Policy which was published in November 2018.

ICO approach to fining

The draft Guidance confirms the right of the ICO to issue fines where a controller or processor has failed or is failing to comply with the UK GDPR or the DPA 2018, including in respect of data subject rights, the principles of processing, communication with the ICO, personal data transfers, compliance with an enforcement notice and accreditation requirements or certification requirements.

When deciding whether a penalty notice would be appropriate the Commissioner confirmed that he will have regard to:

  • the seriousness of the infringement(s) (taking account of its nature, gravity and duration, whether it was intentional or negligent and the categories of personal data affected);
  • any relevant aggravating or mitigating factors; and

Behaviour that delays regulatory action may be viewed as an aggravating factor.  However, behaviour the enables the enforcement process or limits harmful consequences may be viewed as a mitigating factor.   Co-operation in making the ICO aware of the infringement may also be attributed weight unless the notification is required by law.  Then, the ICO expects notification as part of compliance with statutory obligations.

The ICO will consider whether the measures were appropriate with regards to the size and resources of the controller and processor, and the nature and purpose of the processing.

The impact on a wider sector and economic growth may be considered.

  • whether imposing a fine would be effective, proportionate and dissuasive.

Five step approach

In calculating what would be an appropriate level of fine, the following five step approach will be taken:

Step 1Assessment of the seriousness of the infringement.

Step 2Accounting for turnover (where the controller or processor is part of an undertaking).

Where a controller or processor forms part of an “undertaking” (for example the controller is a subsidiary of a parent company) the Commissioner will calculate the maximum fine based on the turnover of the “undertaking” as a whole.  As the UK GDPR and DPA 2018 do not provide a definition of what is meant by an “undertaking”, the ICO has confirmed that the term should be understood in accordance with UK competition law.

Step 3Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking.

Step 4Adjustment to take into account any aggravating or mitigating factors.

Step 5Assessment of whether the fine is effective, proportionate and dissuasive.

Infringement of more than one provision

Where the same or linked conduct has infringed more than one provision, the ICO may decide to impose a fine for each infringement.  However, the sum of the overall fine in such cases must not exceed the maximum statutory fine that applies to the most serious infringement.

On the other hand, an investigation may also find that different forms of conduct have infringed separate provisions.  Where this is the case, the ICO may use the same penalty notice for all infringements to streamline procedure.  The ICO’s fining powers will not be limited to the maximum statutory fine that applies to the most serious infringement, but rather the sum of the maximum amount for each infringement.

Responding to the consultation

The ICO’s consultation is open for responses until 27 November 2023.

Should you have any questions in relation to the ICO’s draft Guidance please speak to a member of our Data Protection and Cyber Security Team. 

This article was co-written by Helen McBrierty, Trainee Solicitor.