ICO issues new guidance on calculating fines: An overview

The Information Commissioner’s Office (ICO), responsible for enforcing data privacy laws in the UK, recently introduced a comprehensive new guideline detailing how fines related to breaches of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) are calculated. Issued on 18 March 2024, this new Data Protection Fining Guidance is designed to bring greater clarity and consistency to the enforcement of data privacy regulations, impacting how businesses across the UK manage and protect personal data.

Introduction to the new guidance

The new guidelines replace sections of the 2018 Regulatory Action Policy related to penalty notices, and its application extends to all new investigations and some ongoing investigations as of its effective date. This update signifies the ICO’s dedication to keeping its policies aligned with the changing dynamics of data privacy and regulatory enforcement environments.

Detailed breakdown of statutory maximums

The penalties imposed for breaches of data protection are subjected to two levels of statutory maximums, differentiated by the severity and the nature of the infraction:

• Standard maximum: Either £8,700,000 or 2% of the total worldwide turnover, whichever is higher.
• Higher maximum: Either £17,500,000 or 4% of the total worldwide turnover, whichever is higher.

These caps ensure that fines are not only punitive but also scaled appropriately relative to the financial stature of the infringing entity.

The concept of an “undertaking”

A pivotal element in the calculation of fines is the definition of an “undertaking.” This term refers to any entity engaged in economic activity, irrespective of its legal structure or how it is financed. Borrowed from EU competition law and integrated into UK data protection legislation, this concept allows the ICO to treat multiple legal entities that operate together as a single economic unit. Consequently, the global turnover of the entire economic unit is taken into account when determining fines, emphasizing collective accountability across connected entities.

Key factors influencing fine calculation

Assessing the seriousness of the infringement

The seriousness of data protection violations is categorized by the ICO into three levels – low, medium, and high – each impacting the base amount for potential fines:

• Low degree of seriousness: Fines can reach up to 10% of the statutory maximum.
• Medium degree of seriousness: Fines can range from 10% to 20% of the statutory maximum.
• High degree of seriousness: Fines can vary from 20% up to the full statutory maximum.

These assessments consider factors such as the intent behind the breach, its duration, the nature of the infringement, the types of data involved, and the extent of harm caused to data subjects. Particularly, processes involving high-risk technologies or sensitive data pertaining to vulnerable groups, like children, are treated more stringently.

Influence of aggravating and mitigating factors

Further adjustments in the fine calculation are made based on both aggravating and mitigating factors:

• Aggravating factors: These include repeated breaches, poor cooperation with the ICO, and actions that exacerbate the impact or duration of the breach.
• Mitigating factors: Proactive measures to mitigate damage, effective cooperation with the ICO, and a history of compliance can significantly reduce the potential fines.

These considerations ensure that the fines are not only tailored to the specific characteristics of each breach but also reflective of the entity’s overall response and compliance history.

Calculation process explained

To determine fines, the ICO begins with identifying the appropriate statutory maximum based on the nature of the infringement, then adjusts this figure considering the severity category and the entity’s turnover:

• For smaller businesses: Companies with a turnover of less than £2 million might see significantly reduced fines, accommodating their limited financial capability.
• For larger corporations: Entities with substantial turnovers face penalties that are meant to serve as a significant economic deterrent, yet remain proportionate to their financial size.

This structured calculation process, which also accounts for any aggravating or mitigating factors, ensures that penalties are both equitable and impactful.

Considerations for financial hardship

In situations where imposing a standard fine might endanger the economic viability of a business, the ICO allows for adjustments based on demonstrated financial hardship. This flexibility requires businesses to present substantial evidence of their financial struggles during the investigative phase, thereby ensuring that the fines imposed do not lead to disproportionate economic consequences.

Conclusion and recommendations

The ICO’s revised guidance on calculating fines marks a significant advancement toward more transparent and uniform enforcement of data privacy laws in the UK. By clearly delineating the criteria for assessing fines, the guidance aids businesses in understanding their compliance obligations and the potential repercussions of failing to protect personal data adequately.

This move encourages businesses to adopt a proactive stance on data protection, emphasizing the importance of stringent compliance frameworks and active management of privacy practices. Businesses should thoroughly review this new guidance to adjust their data protection strategies accordingly. This not only helps in avoiding substantial fines but also plays a crucial role in building trust by ensuring the privacy and security of user data.

Ultimately, the ICO aims to create a compliance-oriented environment where data protection is ingrained in the operational fabric of every organization, reinforcing the UK’s commitment to safeguarding personal information in an ever-expanding digital world.

Enhancing GDPR compliance through Consent and Preference Management Platform

Cassie, our tailored consent and preference management platform, is an essential tool for organizations striving to ensure GDPR compliance. By enabling clear communication of consent options and allowing users to easily manage their preferences, Cassie facilitates transparent data collection processes in full compliance with GDPR mandates. Our platform ensures that all data subjects are thoroughly informed and that their consents are explicitly recorded and easy to withdraw at any time. Cassie automatically documents and manages user consents, providing a reliable audit trail that proves invaluable during regulatory inspections or audits by bodies such as the ICO. By using Cassie, organizations not only adhere to the GDPR’s requirements for lawful, fair, and transparent processing but also build trust by empowering customers with control over their personal data.

You might also like to read: