The Information Commissioner (the "Commissioner") has a number of powers including the ability to impose a fine when an organisation has failed to comply with:
- certain provisions of the UK GDPR or DPA 2018; or
- an information notice, an assessment notice, or an enforcement notice[1].
In March 2024, the Information Commissioner's Office (the "ICO") published a new Data Protection Fining Guidance [2] (the "Guidance") which replaced the sections about penalty notices in the ICO's Regulatory Action Policy [3] (November 2018). The Guidance attempts to "provide certainty and clarity for organisations" and is vital reading to enable organisations to understand how the ICO can apply its power to impose a fine.
Amongst other things, the Guidance explains the circumstances when the Commissioner considers the issuing of a penalty notice to be appropriate and the approach taken to determine the amount of a fine. As explained below, the Guidance explains that the Commissioner will take into account any relevant aggravating and mitigating factors when deciding whether to increase or reduce any monetary penalty. This Guidance not only relates to new infringements of the UK GDPR/ DPA 2018; it also applies to ongoing cases in which the ICO has not yet issued a notice of intent.
Seriousness of an infringement
The Commissioner will take regard of the factors set out in Article 83(2) UK GDPR when deciding whether to impose an administrative fine and when considering the relevant amount. As part of this assessment process, the Commissioner will assess the seriousness of an infringement, which will involve taking into account: (i) the nature, gravity and duration of the infringement; (ii) whether it was intentional or negligent; and (iii) the categories of personal data affected. The Guidance says that if the "Commissioner decides that the infringement was serious having regard those factors, then it is likely that the Commissioner will issue a penalty notice, unless there are mitigating factors that outweigh that assessment. [4]"
Fine calculation
The Guidance sets out a five-step approach which is adopted to calculate the amount of any fine, but highlights that the assessment will also involve evaluation and judgment, and in exceptional circumstances, may be reduced if the organisation is unable to pay due to financial hardship. We do not address the five-step approach in detail for the purposes of this article but, in summary, they involve the Commissioner following the proposed steps:
- Step 1: Assessment of the seriousness of the infringement.
- Step 2: Accounting for global turnover from the previous financial year (where the controller or processor is part of an undertaking).
- Step 3: Calculation of the starting point of a fine.
- Step 4: Adjustment to take into account any aggravating or mitigating factors (these same factors are considered by the ICO when determining whether it is appropriate to issue a fine in the first place).
- Step 5: Assessment of whether the fine is "effective, proportionate and dissuasive".
The Commissioner will consider each case individually taking into account the relevant circumstances, and any imposed fine is subject to a statutory maximum where there are two tiers of penalty depending on the statutory provision that has been infringed. There is the 'standard maximum amount' of £8.7m or 2% of the global annual turnover of the undertaking in the preceding financial year (whichever is higher). There is also the 'higher maximum amount', which applies where there has been a severe infringement, which is £17.5 m or 4% of the undertaking's global annual turnover in the preceding financial year (whichever is higher).
Comments
- Subsidiaries - the Guidance clarifies that where a controller or processor forms part of an undertaking, for example is a subsidiary, the ICO will calculate the maximum fine based on the total worldwide annual turnover of the undertaking as a whole.
- Mitigation - the ICO can reduce a fine if a data controller or processor can demonstrate that it has proactively taken appropriate and effective steps to mitigate the damage suffered by data subjects. If the action taken had no effect (or only a limited effect) on mitigating the damage, then the Commissioner is likely to give it less weight. In the context of malicious data breach incidents, we set out below examples of possible mitigation steps:
- Co-operate with the ICO / appropriate bodies such as the NCSC and to follow advice/guidance – the ICO's position is that an organisation's engagement and cooperation may be considered as a mitigating factor where that "cooperation goes beyond what is required by law".
- Take steps to support data subjects to minimise the level of damage that might be suffered, such as offering counselling and/or free credit and identity monitoring services (this may be appropriate where data subjects' identification documents and/or relevant financial information have been compromised).
- Consider appropriate legal action. This could be issuing: (1) a takedown notice to the cloud data hosting provider(s) that is used by a threat actor to store an organisation's stolen data; and/or (2) obtaining a High Court injunction against the threat actor (and any third party) to prohibit the use, publication, communication and disclosure of the stolen data (this is still a rare and novel step, and so we have yet to have a formal position from the ICO on this).
- Previous infringements / aggravating factors - if the previous infringement concerns a similar subject matter, or arose in a similar manner, and/or occurred recently, the Commissioner is likely to consider this to be an aggravating factor. The ICO has previously stated that in assessing whether an organisation has 'appropriate' cyber security measures, it will do so by reference to the National Cyber Security Centre's technical guidance and standards. In these circumstances, it is imperative for organisations to take steps to learn lessons from previous data breach incidents, that it has appropriate technical and organisational measures in place, has reviewed its internal cyber hygiene policies and its staff are up to date with its data protection training.
[1] Section 155(1)(a)and (b) DPA 2018
[3] https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf (pages 24 and 27)
