ICO welcomes views on its draft Data Protection Fining Guidance

On 2 October 2023, the Information Commissioner’s Office (ICO) announced that its draft Data Protection Fining Guidance (Guidance) is open for consultation.

What is the Data Protection Fining Guidance?

The Guidance seeks to provide greater clarity to organisations concerning the ICO’s ability to issue (and its methodology for calculating) fines resulting from breaches of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

The release of the Guidance marks the third time in three consecutive years that the ICO has issued a publication surrounding its enforcement powers in relation to data protection legislation in the UK, and follows the guidelines released by the European Data Protection Board (EDPB) in June 2023 concerning the calculation of administrative fines.

The Guidance, which sets out the conditions under which the Commissioner would consider it appropriate to exercise its discretion to issue a fine, remains open for consultation until 27 November 2023. During this period, the ICO welcomes views from organisations and individuals both in a professional and private capacity.

How is the Guidance structured?

The Guidance comprises three sections:

1. Statutory background: which provides a “refresh” of the overarching framework surrounding the ICO’s enforcement powers, including the infringements under UK GDPR and the DPA, the maximum amount of a fine, restrictions on issuing fines, and the ICO’s approach to multiple infringements.
2. Circumstances in which the ICO consider it appropriate to issue a fine: including the seriousness of the breach, any relevant factors and the effectiveness, proportionality, and dissuasiveness of a fine.
3. Calculating fines: which illustrates the ICO’s five-step approach to calculating the amount of a fine.

The framework surrounding the ICO’s enforcement powers

The preamble to the Guidance serves as a reminder to organisations that the ICO may impose a fine where it is satisfied that a data controller or data processor has failed to comply with the provisions of the UK GDPR or DPA relating to:

• The principles of processing personal data.
• The rights conferred on data subjects.
• The obligations placed on data controllers and data processors, including the requirement to communicate a personal data breach to the ICO.
• The principles for transfers of personal data outside the UK.

The Guidance also sets out the statutory maximum amounts that can be fined by the ICO. Depending on the severity of the infringement, the Guidance provides for two levels of maximum fine as prescribed in the UK GDPR and DPA:

• The standard maximum amount is £8.7 million or, in the case of an undertaking, is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.
• The higher maximum amount is £17.5 million or, in the case of an undertaking, is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.

The Guidance also considers various circumstances where the ICO is either restricted from issuing fines, or where the issuing of a fine is subject to additional requirements.

When is it ‘appropriate’ for the ICO to issue a fine?

When determining whether or not to issue a fine, the ICO will have regard to:

• The seriousness of the breach (or breaches). The ICO will consider the factors listed in Articles 83(1) and 83(2) of the UK GDPR, particularly in relation to the nature, gravity and duration of the breach, the intention of the breach and the categories of personal data involved.
• Relevant aggravating or mitigating factors. A data controller or data processor should try to mitigate a breach and the ICO will consider any steps taken when assessing the appropriateness of imposing a fine.
• Whether a fine would be effective, proportionate and dissuasive. The ICO will also consider whether issuing a fine is an appropriate sanction for the breach, that it is appropriate and necessary in the circumstances, and that the fine promotes compliance with data protection legislation.

The Guidance explains that when the ICO considers issuing a fine, it will do so on a case-by-case basis and will aim to ensure that there is a broad consistency in the approach taken. However, it will not be bound by previous decisions. This will no doubt give the ICO wider discretion in its decision making.

How does the ICO calculate fines?

In a similar vein to the EDPB guidelines, the Guidelines explain that where the ICO has deemed it appropriate to impose a fine, it will calculate the amount of the fine by following a five-step methodology:

1. Assessment of the seriousness of the infringement.
2. Accounting for turnover (where the data controller or data processor is part of an undertaking).
3. Calculating the starting point having regard to the seriousness of the infringement.
4. Adjustment to take into account any aggravating or mitigating factors.
5. Assessment of whether the fine is effective, proportionate and dissuasive.

The Guidelines also explain that the ICO may, in its sole discretion (and in exceptional circumstances), reduce a fine where an organisation is unable to pay an imposed fine due to financial hardship. In such a situation, the ICO may grant a reduction where the organisation can demonstrate that their financial position merits such relief.

Our views

Organisations should be aware that the Guidance only relates to breaches of the UK GDPR and the DPA and is not applicable to Privacy and Electronic Communications Regulations 2003 (PECR) which offer additional privacy rights in relation to electronic communications.

Whilst the Guidance appears to be somewhat mechanistic in nature (particularly in respect of the ICO following prescribed factors in determining a breach and implementing a step-by-step approach to calculating fines), it will undoubtedly assist organisations by providing greater clarity surrounding the situations when and how the ICO will calculate and, if appropriate, issue fines.

It will be interesting to note any changes to the Guidance in response to comments received by organisations and individuals following the closing of the consultation process, at the end of November.

In the interim, for those organisations and individuals wishing to comment on the Guidance, the ICO has launched an online survey which can be found here.