On 18 March 2024, the ICO published new guidance on how it determines penalties and calculates fines. The guidance follows a consultation on a draft version of these guidelines at the end of 2023, and a year-on-year increase in enforcement activity; so far in 2024, the ICO has issued 6 fines totalling just under £1 million, compared to the same period last year (where the ICO issued just 2 fines totalling £325,000). That said, it is always worth remembering that fines are but one enforcement option for the ICO, and it may also issue assessment notices, warnings, reprimands and enforcement notices.
The new data protection fining guidance is split into 3 sections:
- The legal framework that gives the ICO the power to impose a penalty notice;
- Circumstances where the ICO would consider it appropriate to issue a penalty notice; and
- The methodology the ICO will use to calculate the appropriate amount of a fine.
The European Data Protection Board published its own guidelines in mid-2023 on the same topic.
Where the guidance perhaps offers the most practical use for organisations (and where this article focuses on), is the section on the circumstances where the ICO would consider it appropriate to issue a penalty notice. This section is further divided into 3 parts:
- The seriousness of the infringement (i.e., the nature, gravity, duration, intention/negligence, and the categories of personal data affected);
- Aggravating or mitigating factors (such as the degree of cooperation with the ICO, the manner in which the ICO became aware of the infringement, and the actions taken to mitigate the infringement); and
- Whether the penalty notice would be effective, proportionate, and dissuasive.
The substance closely follows the EDPB guidelines, both in content and level of detail. A key practical point reflected in the guidance, is that the ICO expects transparency and active mitigation should be a minimum standard that organisations set out to achieve, in cases of infringement. For example, in the context of a data breach, proactivity in reporting to other relevant bodies such as the National Crime Security Centre may be considered a mitigating factor (see our article here on this topic).
What was updated after the consultation?
The majority of the final guidance is substantively unchanged from the draft version. However, some noteworthy changes include:
- Clarification on how the ICO will issue fines for multiple infringements – in cases involving infringements of more than one provision of the UK GDPR, where the processing activity is linked, the guidance indicates that the ICO may impose a fine for each infringement, as long as the sum of those penalties does not exceed the statutory maximum. The following example has been added to that section:
“if the Commissioner imposes a fine for the infringement of [the example outlines two different infringements but for a linked processing activity], the combined total of the two fines must not exceed £17.5 million or 4% of turnover (whichever is higher)”– Para 42
- Intentional infringements are regarded as particularly serious (the ICO is likely to issue a penalty notice if it considers an infringement to be serious) – the following example has been added as circumstances where the ICO may consider as an indication of intention:
“where the risks had been brought to its attention [of the controller/processor] by an individual, the Commissioner or other third party” – Para 65
- Self-reporting to the ICO is a mitigating factor, even if an organisation is under a statutory duty to notify (independent from the UK GDPR) – the following has been added:
“Where a controller is under a statutory duty to notify the Commissioner of a personal data breach it can still benefit from this mitigating factor. Therefore, this mitigating factor may apply even if the controller takes steps to implement such measures after informing the Commissioner about the personal data breach. However, in order for the mitigating factor to apply, the Commissioner expects the controller to take steps to mitigate any damage in a timely manner” – Para 77