On March 18, 2024, the UK Information Commissioner’s Office (“ICO”) published new data protection fining guidance on how the ICO determines penalties and calculates fines. The guidance was subject to a consultation process in 2023, and covers a variety of topics and considerations relevant to penalties and fines, including:
- The ICO’s approach to fines where there has been more than one infringement by a controller or processor. In this respect, when the ICO finds that the “same or linked processing operations” infringe on more than one provision of the UK General Data Protection Regulation, the overall fine imposed must not exceed the maximum statutory amount that applies to the most serious of the individual infringements identified.
- The circumstances in which the ICO would consider it appropriate to issue a penalty notice. In carrying out its assessment, the ICO will consider: (1) the seriousness of the infringement, taking into account its nature, gravity and duration, whether it was intentional or caused by negligence, and the categories of personal data affected; (2) any relevant aggravating or mitigating factors, such as any action taken to mitigate the damage suffered by the relevant data subjects, any previous infringements, and the degree of cooperation with the ICO; and (3) whether imposing a fine would be effective, proportionate and dissuasive.
- How a fine will be calculated if the ICO determines that it is appropriate to impose a fine. A five step approach will be followed: (1) assessment of the seriousness of the infringement; (2) accounting for turnover, where the controller or processor is part of an undertaking; (3) calculation of the starting point having regards to the seriousness of the infringement and, where relevant, the turnover of the undertaking; (4) adjustment to take into account any aggravating or mitigating factors; and (5) assessment of whether the fine is effective, proportionate and dissuasive. The ICO’s guidance reiterates that the approach is not intended to be “mechanistic,” but rather that the regulator will carefully consider the circumstances of each case and apply a level of judgment in reaching the appropriate fine.
The new guidance applies to new cases and to ongoing cases where the ICO has not issued a notice of intent to impose a fine. Read the announcement and guidance.