The Information Commissioner’s Office (ICO) has published new guidance setting out how it will determine penalty notices and calculate fines under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
The new data protection fining guidance (48 pages / 1.4 MB) is aimed at providing organisations with greater transparency as to how the ICO goes about using its power to issue fines. This guidance comes at a time when data protection and privacy issues are at the forefront of public and corporate consciousness, with the increasing digitalisation of services and the proliferation of data-driven models.
Cyber, privacy and technology specialist Ellie Ludlam of Pinsent Masons said: “From a cyber perspective, there are some interesting clarifications. For example, the guidance sets out what the ICO would consider to be negligent, which specifically includes a failure to apply updates.”
The guidance clarifies that if certain categories of personal data elements are in the scope of a breach, the ICO is likely to consider the breach to be serious. These include not only special categories of personal data and criminal offence data but also other types such as passports, driving licences, private communications – particularly those including intimate details – location data and financial data.
In terms of mitigating factors, the update specifically states that the ICO is more likely to take into account actions taken by a controller or processor to mitigate the damage suffered by data subjects, if these are implemented prior to the ICO investigation.
The Commissioner may impose a fine when satisfied that a firm has failed to comply with the provisions of the UK GDPR or DPA. This test will be satisfied where a controller or processor has failed, or is failing, to comply with provisions relating to the principles of processing, rights conferred on data subjects, and obligations such as the requirement to report a personal data breach.
The Commissioner can also impose a fine where the business fails to provide information that the Commissioner reasonably requires, fails to allow an inspection of documents or information, or does not comply with a requirement set out in an enforcement notice, such as a requirement to rectify or erase personal data.
Further, the ICO has clarified that it will take into account the manner in which it found out about the infringement. The ICO may view an organisation proactively notifying the ICO about its infringement as a mitigating factor (provided that the ICO was not already aware of such infringement). However, if the ICO finds out about an infringement through a complaint, media coverage or its own intelligence, this will be considered as having a neutral impact. Previously, although not stated explicitly by the ICO, the sense was that if they found out about a breach from a third party, this would act as an aggravating factor.
The guidance also expressly says that the ICO may give weight to engagement with bodies such as the National Cyber Security Centre. Again, this is something which has been referenced before, but which did not form part of the previous ICO Regulatory Action Policy.
The ICO may impose a fine when satisfied that an organisation has failed to comply with the provisions of the UK GDPR or the DPA. This test will be satisfied where the organisation has failed, or is failing, to comply with provisions relating to the principles of processing, rights conferred on data subjects, and obligations such as the requirement to report a personal data breach.
The ICO can also impose a fine where an organisation fails to provide information that the ICO reasonably requires, fails to allow an inspection of documents or information, or does not comply with a requirement set out in an enforcement notice, such as rectifying or erasing personal data.
Greater detail has also been provided on the five-step approach the ICO will apply when calculate fines to achieve consistency. If the ICO decides to issue a penalty, the amount of the fine will be calculated by assessing the seriousness of the infringement. The second step accounts for turnover, before the starting point is calculated taking into account the seriousness of the issue and the firm’s annual turnover. The ICO will then make adjustments taking into account any aggravating or mitigating circumstances, such as action taken by the organisation to correct the issue prior to an ICO investigation. Finally, it will assess whether the fine is effective, proportionate, and dissuasive.
The new guidance provides welcome clarity as to the ICO’s approach to fines and penalties.