Information Commissioners Office: data protection fining guidance
The Information Commissioner’s Office (ICO) has published new Data Protection Fining Guidance which covers:
- circumstances in which the ICO would consider it appropriate to issue a fine, and
- how the ICO determines the amount of any fine imposed.
The maximum amount of fines has not changed, and still sits at £17.5m or 4% of total annual worldwide turnover.
Statutory Background
Under the Data Protection Act 2018 (DPA), the ICO may impose a fine where a person has:
- failed to comply with certain provisions of the UK General Data Protection Regulation (GDPR)
- failed to comply with DPA 2018
- failed to comply with an information notice, assessment notice or enforcement notice given under Part 6 DPA 2018.
There are two levels of maximum fines – the ‘standard maximum amount’ and the ‘higher maximum’ amount. Annex 2 of the guidance sets out which level of maximum fine applies to the relevant provisions of the UK GDPR and DPA 2018.
If there are multiple infringements arising from the same or linked conduct (ICO will assess on a case by case basis whether the infringements are linked) the overall fine shall not exceed the specified amount for the gravest infringement.
Consideration Factors
When deciding whether to issue a fine, the ICO will assess each case on an individual basis. However, they must have regard to the factors listed in Article 83 UK GDPR, as well as ensuring that the fine imposed is effective, proportionate and dissuasive.
Factors to consider include:
- the nature, gravity and duration of the infringement
- the intentional or negligent character of the infringement
- any action taken by the controller or processor to mitigate the damage suffered by data subjects
- the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
- any relevant previous infringements
- the degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
- the categories of personal data affected by the infringement
- the manner in which the infringement became known to the ICO
- where measures referred to in Article 58(2) UK GDPR have previously been ordered against the controller or processor concerned with regard to the same subject-matter
- adherence to approved codes of conduct pursuant to Article 40 UK GDPR or approved certification mechanisms pursuant to Article 42 UK GDPR
- any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement
Determining Amount
If the ISO decides to issue a fine, then the amount of the fine is calculated using the following 5 step approach:
- Step 1: Assessment of the seriousness of the infringement
- Step 2: Accounting for turnover (where the controller or processor is part of an undertaking)
- Step 3: Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking
- Step 4: Adjustment to take into account any aggravating or mitigating factors
- Step 5: Assessment of whether the fine is effective, proportionate and dissuasive
In exceptional circumstances, the Commissioner may reduce a fine where an organisation or individual is unable to pay because of their financial position. The organisation or person concerned needs to make a claim of financial hardship. They will have the burden of proving that their situation merits such a reduction.
Where appropriate, the Commissioner may enter an agreement providing additional time to pay a fine or to allow for the payment of the fine in instalments.
See the full guidance here: Data Protection Fining Guidance | ICO
Hempsons has a dedicated Data Protection Team. If you have any queries around any aspect of data protection or anything in this article or guidance and want more information, please don’t hesitate to get in touch.