Unpacking the Information Commissioner’s Office New Fining Guidance: What You Need to Know

The Information Commissioner’s Office (ICO) has introduced new fining guidance that provides a structured framework for determining fines under the UK’s data protection laws. This guidance offers critical insights into the factors the ICO considers when deciding to levy fines, ensuring transparency and understanding for organisations subject to UK data protection regulations.

Step-by-Step Process of Fine Calculation

Nature, Gravity, and Duration of Infringement

The Information Commissioner’s Office guidance outlines a clear methodology, starting with the assessment of the nature, gravity, and duration of the infringement. This evaluation focuses on the seriousness of the violation, considering both the scale and the potential or actual harm caused to data subjects.

Aggravating and Mitigating Factors

The guidance identifies both aggravating and mitigating factors that could influence the final fine amount. Aggravating factors may include deliberate violations or failures to cooperate with investigations, whereas mitigating factors might involve proactive measures taken by the organisation to address and rectify the breach before the Information Commissioner’s Office intervention.

Information Commissioner’s Office: Effectiveness, Proportionality, and Dissuasion

Fines must be effective, proportionate, and dissuasive. The ICO aims to ensure that penalties are substantial enough to discourage non-compliance while being fair and commensurate with the severity of the infringement.

Calculation Based on Turnover

Determining the Starting Point

The starting point for fine calculation is based on the organisation’s turnover. The ICO uses illustrative tables to provide clarity on how fines are proportionally related to the financial standing of the organisation. This method ensures that fines are significant yet manageable relative to the size and economic capacity of the business.

Concept of an Undertaking

An ‘undertaking’ is defined according to UK competition law, considering a single economic unit rather than a strict commercial or tax law perspective. This means the turnover of the entire group or parent company may be considered, impacting the potential fine size significantly.

Specific Factors Influencing Fine Calculation

Systematic and Extensive Profiling

The ICO highlights that large-scale profiling and processing of personal data can increase the seriousness of an infringement. This includes activities that involve systematic and extensive profiling of data subjects, such as in the case of the EasyLife fine.

Number of Data Subjects Affected

The guidance clarifies that both the actual and potential number of data subjects affected will be considered. This approach raises the stakes for organisations, as potential impacts, not just actual damages, can influence the fine.

Types of Personal Data

Certain types of data, such as financial, location, and special category data, are deemed particularly sensitive. Infringements involving these data types may attract higher fines due to the increased risk and potential harm to data subjects.

Discrimination and Psychological Harm

The ICO now explicitly includes non-material damage, such as discrimination and psychological harm, as factors in fine calculations. This reflects a broader understanding of the potential impacts of data breaches and the importance of protecting data subjects from various forms of harm.

Cooperation and Mitigation

Proactive Measures and Cooperation

The ICO favours organisations that demonstrate proactive measures to mitigate breaches. Cooperation with supervisory authorities and prompt, transparent actions can significantly reduce the severity of fines. Delayed or obstructive behaviours, however, are likely to be seen as aggravating factors.

Reporting to the NCSC

While not a legal obligation, reporting cybersecurity incidents to the National Cyber Security Centre (NCSC) and following their guidance can be seen as a positive mitigating factor. This demonstrates a commitment to addressing and managing data breaches effectively.

Comparison with EDPB Guidance

The ICO’s approach aligns with the European Data Protection Board (EDPB) guidance, indicating a convergence in methodologies for calculating administrative fines across the UK and EU. This alignment provides additional clarity and consistency for organisations operating in multiple jurisdictions.

Practical Implications for Businesses

Practical Tools and Examples

The guidance includes practical tables and examples that help businesses understand the ICO’s approach to fines. These tools aid in assessing potential risks and preparing for compliance requirements, offering a clearer understanding of the financial implications of data protection violations.

Case-by-Case Basis

Despite the structured approach, the ICO emphasises that each case will be treated individually, maintaining discretion in final decisions. This ensures that fines are tailored to the specific circumstances of each infringement, reflecting the unique aspects and context of each case.

Conclusion

The ICO’s new fining guidance provides a comprehensive framework that enhances transparency and predictability in the calculation of fines for data protection infringements. By outlining key factors and offering practical tools, the guidance supports organisations in understanding their compliance obligations and the potential financial consequences of non-compliance. This structured yet flexible approach ensures that fines are fair, proportionate, and effective in promoting data protection compliance across the UK.

If you need assistance with any of the Information Commissioner’s Office requirements for firms under UK GDPR or the DPA 2018, please call

0800 689 0190

or Email

info@complianceconsultant.org

Lee Werrell

See Full Bio

Blog

Unpacking the Information Commissioner’s Office New Fining Guidance: What You Need to Know

Unpacking the Information Commissioner’s Office New Fining Guidance: What You Need to Know

Step-by-Step Process of Fine Calculation

Nature, Gravity, and Duration of Infringement

Aggravating and Mitigating Factors

Information Commissioner’s Office: Effectiveness, Proportionality, and Dissuasion

Fines must be effective, proportionate, and dissuasive. The ICO aims to ensure that penalties are substantial enough to discourage non-compliance while being fair and commensurate with the severity of the infringement.

Calculation Based on Turnover

Determining the Starting Point

Concept of an Undertaking

An ‘undertaking’ is defined according to UK competition law, considering a single economic unit rather than a strict commercial or tax law perspective. This means the turnover of the entire group or parent company may be considered, impacting the potential fine size significantly.

Specific Factors Influencing Fine Calculation

Systematic and Extensive Profiling

The ICO highlights that large-scale profiling and processing of personal data can increase the seriousness of an infringement. This includes activities that involve systematic and extensive profiling of data subjects, such as in the case of the EasyLife fine.

Number of Data Subjects Affected

The guidance clarifies that both the actual and potential number of data subjects affected will be considered. This approach raises the stakes for organisations, as potential impacts, not just actual damages, can influence the fine.

Types of Personal Data

Certain types of data, such as financial, location, and special category data, are deemed particularly sensitive. Infringements involving these data types may attract higher fines due to the increased risk and potential harm to data subjects.

Discrimination and Psychological Harm

The ICO now explicitly includes non-material damage, such as discrimination and psychological harm, as factors in fine calculations. This reflects a broader understanding of the potential impacts of data breaches and the importance of protecting data subjects from various forms of harm.

Cooperation and Mitigation

Proactive Measures and Cooperation

The ICO favours organisations that demonstrate proactive measures to mitigate breaches. Cooperation with supervisory authorities and prompt, transparent actions can significantly reduce the severity of fines. Delayed or obstructive behaviours, however, are likely to be seen as aggravating factors.

Reporting to the NCSC

While not a legal obligation, reporting cybersecurity incidents to the National Cyber Security Centre (NCSC) and following their guidance can be seen as a positive mitigating factor. This demonstrates a commitment to addressing and managing data breaches effectively.

Comparison with EDPB Guidance

The ICO’s approach aligns with the European Data Protection Board (EDPB) guidance, indicating a convergence in methodologies for calculating administrative fines across the UK and EU. This alignment provides additional clarity and consistency for organisations operating in multiple jurisdictions.

Practical Implications for Businesses

Practical Tools and Examples

The guidance includes practical tables and examples that help businesses understand the ICO’s approach to fines. These tools aid in assessing potential risks and preparing for compliance requirements, offering a clearer understanding of the financial implications of data protection violations.

Case-by-Case Basis

Despite the structured approach, the ICO emphasises that each case will be treated individually, maintaining discretion in final decisions. This ensures that fines are tailored to the specific circumstances of each infringement, reflecting the unique aspects and context of each case.

Conclusion

If you need assistance with any of the Information Commissioner’s Office requirements for firms under UK GDPR or the DPA 2018, please call

0800 689 0190

or Email

info@complianceconsultant.org