ICO new fining guidance
Tuesday 2nd April 2024
On 18 March 2024, the Information Commissioner’s Office (ICO) published its new data protection fining guidance which aims to provide greater transparency and clarity for organisations in its approach to issuing penalties and calculating fines.
The ICO will enforce fines where it is satisfied that a controller or processor has failed or is failing to comply with data protection laws. For example, where it is failing to act upon data subjects’ rights, failing to notify the ICO of data breaches where required, or failing to provide information to the ICO when requested.
Factors taken into account when deciding if a penalty fine is appropriate:
The ICO will consider:
- the seriousness of the infringement including the nature, gravity and duration; whether it was intentional or negligent; and the categories of personal data affected;
- relevant aggravating or mitigating factors including but not limited to: the effect of mitigating factors, the degree of responsibility of the controller or processor, taking into account its size and resources; the nature and purpose of the processing; relevant previous infringements; and the degree of cooperation with the ICO; and
- effectiveness, proportionality and dissuasiveness of issuing a penalty notice.
Calculating the fine:
If the ICO wants to issue a penalty notice, it will take itself through the following steps:
Step one: assessment of the seriousness of the infringement.
Step two: accounting for turnover.
Step three: calculation of the starting point (based on the outcome of steps 1 and 2).
Step four: aggravating and mitigating factors.
Step five: adjustment to ensure the fine is effective, proportionate and dissuasive.
In some circumstances, the ICO may reduce the fine where an organisation is unable to pay because of their financial hardship. In the last 12 months, we have also seen a reduction in the number of fines issued by the ICO to public authorities which ultimately has an impact on the taxpayer and an increase in warnings, reprimands and enforcement notices.
The maximum fine amount that the ICO may impose will be determined by the statutory provision that has been infringed. The standard maximum amount will be the higher of either £8.7 million or 2% of the worldwide turnover in the preceding financial year; and the higher maximum amount will be the higher of either £17.5 million or 4% of the worldwide turnover in the preceding financial year.
Key takeaways
The ICO has highlighted that the five-step approach for calculating fines is ‘not intended to be mechanistic. The overall assessment of the appropriate fine amount involves evaluation and judgement, taking into account all the relevant circumstances of the individual case.’
This is a welcome reminder that if organisations can demonstrate that they already have the appropriate data protection security measures in place and can show that they acted efficiently and effectively to mitigate the effects of a breach, it may work in an organisation’s favour.
If you would like to speak to a member of the data team about your current data protection policies and procedures, please contact the team.