A few weeks ago, the Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC) issued an memorandum of understanding (MoU) - see more here. One of the key points to come out of that MoU was that the ICO will recognise and encourage “appropriate engagement” with the NCSC on cybersecurity matters, including on incident response. One of the anticipated benefits of that engagement was the expectation that it might reduce any regulatory sanction further down the line. The ICO's data protection fining guidance, recently issued in draft for consultation, confirms this benefit.
It is well-established that when assessing whether it is appropriate to issue a fine and, if so, in deciding on the amount of that fine, the Commissioner will have regard to (amongst other things) any relevant aggravating or mitigating factors (see Article 83(2)(k) of the UK GDPR and the ICO's Regulatory Action Policy).
One such factor now listed in the ICO's draft fining guidance is the organisation's engagement and cooperation with regulators and agencies such as the NCSC. On this factor, the guidance states that the ICO will take into account:
“Any action the controller or processor took pro-actively to report a cyber security breach to other appropriate bodies (such as the National Cyber Security Centre (NCSC)) and whether it followed any advice or guidance provided. The Commissioner works with a range of other regulators and agencies, particularly in relation to cyber security matters. The Commissioner may give weight to a controller or processor’s engagement and cooperation with another appropriate body as a mitigating factor, where that cooperation goes beyond what is required by law. The Commissioner expects the controller or processor to demonstrate and provide evidence of the steps it has taken to follow any such advice or guidance. Reporting a security breach to another body is not a substitute for complying with an obligation to report personal data breaches to the Commissioner.”
Whilst the overall message in relation to this mitigating factor is clear, be warned that applying the five-step approach to calculating the amount of the fine (once a decision has been taken to fine) requires actuarial-level skills and a feat of mental gymnastics - something that will hopefully be fed back to the ICO during this consultation.
The Information Commissioner’s Office (ICO) is consulting on new draft guidance about how we decide to issue penalty notices and calculate fines under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). We refer to this new guidance as the draft Data Protection Fining Guidance.