Tue 30 Apr 2024

New ICO Fining Guidance: A step towards clarity

The Information Commissioner’s Office recently issued new guidance on the issuing of penalties and calculation of fines.

The guidance is welcomed as it provides clarity for businesses on the financial consequences for certain infringements of the UK GDPR and the Data Protection Act 2018. The guidance details the approach taken by the Information Commissioner when exercising his discretion to issue penalty notices. This includes clarification of when a penalty notice is appropriate and an explanation of how a fine amount is calculated.

Undertakings

For the purpose of imposing a fine, an undertaking will be defined in accordance with Competition law. As such, an undertaking is any entity that is engaged in economic activity. In circumstances where a controller or processor forms part of an undertaking, the fine will be calculated based on the undertaking as a whole. 

Penalty Notices: ICO Approach

Article 83(2) of the GDPR sets out relevant factors that the Commissioner is required to take into account when imposing administrative fines. Such factors include the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken to mitigate the damage, previous infringements, the degree of cooperation and the categories of personal data affected. The guidance expands on this by identifying three key factors which will be considered when determining the appropriateness of issuing a fine. The three factors include:

  • the seriousness of the infringement;
  • any relevant aggravating or mitigating factors; and
  • the effectiveness, proportionality and dissuasiveness of the fine.

Seriousness

If the Commissioner considers the infringement to be serious, it is likely a penalty notice will be issued unless mitigating factors can be evidenced. When assessing the level of seriousness regard will be had to the nature, gravity and duration of the infringement, the intentional or negligent character and the categories of personal data affected.

In determining the nature and gravity of the infringement, the Commissioner will consider aspects such as the circumstances of the case, the number of data subjects affected and the level of damage. It is more likely that an infringement will be regarded as serious where intent on the part of the controller or processor can be evidenced. For example, where the infringer is likely aware that their conduct would constitute an infringement, the Commissioner would be more inclined to impose a penalty notice. However, even if such conduct was not intentional, a penalty notice may be imposed in circumstances where the conduct breached the duty of care required and was therefore negligent.

Infringements which involve the processing of specially protected data, such as the type of data contained within Article 9 of the GDPR will likely be serious. Furthermore, where particularly sensitive data such as location, private communication and financial data has been affected, the Commissioner may take this into account when assessing seriousness.

Aggravating/Mitigating factors

The next step after determining the seriousness of an infringement will be for the Commissioner to consider any aggravating or mitigating factors relating to the infringement. Such factors include:

  • Action taken to mitigate damage suffered by data subjects;
  • The degree of responsibility of the controller or processor;
  • Relevant previous infringements by the controller or processor;
  • The degree of cooperation with the Commissioner;
  • The manner in which the infringement became known to the Commissioner;
  • Measures previously ordered against the controller or processor;
  • Adherence to approved codes of conduct or certification mechanisms; and
  • Any other aggravating or mitigating factor.

Effectiveness, proportionality and dissuasiveness

The Commissioner will consider whether imposing a fine would achieve the objectives of ensuring compliance or providing an appropriate sanction (effectiveness) before considering whether the imposition of a fine will act as a genuine deterrent to future non-compliance (dissuasiveness). Thereafter, the Commissioner will assess whether imposing a fine exceeds what is appropriate and necessary to meet those objectives.

Calculation of the Fine

The guidance also provides greater transparency on the calculation of the appropriate amount of the fine. When calculating a fine the below five step approach is adopted:

  1. Assessment of the seriousness of the infringement.
  2. Accounting for turnover.
  3. Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking.
  4. Adjustments to take into account any aggravating or mitigating factors.
  5. Assessment of whether the fine is effective, proportionate and dissuasive.

The guidance notes that this is not a mechanical process, each fine will be assessed with regard to the individual circumstances and will involve a level of evaluation and judgement.

The guidance also confirmed that in the event of more than one infringement by a controller or processer, the Commissioner will consider whether the infringements are resulting from the same or linked processing operations or whether there has been separate form of conduct giving rise to separate infringements. If the infringements are the same or linked, Article 83(3) will apply, meaning that the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

Conclusion

The guidance provides a degree of clarity on how the ICO approach enforcement action. However, it remains challenging to predict the financial implications of infringement. The ICO will adopt an individualistic approach to penalty notices and fines, therefore, it is vital for businesses and organisations to review their compliance with the UK GDPR and Data Protection Act to ensure they are not at risk of infringement. 

Should you have any queries in relation to the fining guidance and or compliance with the GDPR and Data Protection Act, please do not hesitate to get in touch with Valerie Armstrong-Surgenor, Partner in the IPTC team at Morton Fraser MacRoberts.

This article was co-authored by Trainee Solicitor Erin Thomson

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice