ICO issues new guidance on penalty notices

The Information Commissioner’s Office (ICO) has recently updated its Regulatory Action Policy to include new guidance on how the Commissioner will exercise his or her discretion to issue a penalty notice and how the amount of any fine will be determined.

Data controllers and processors will be relieved to learn that in an Olympic year the ICO has resisted any temptation to adopt the ‘Higher, Faster, Stronger’ motto of its near namesake the International Olympic Committee (IOC). Instead, as the guidance makes clear, the ICO will continue to approach the questions of when to impose fines, and what amount, on the basis of the pragmatic but decidedly un-Olympian values of Section 155 of the Data Protection Act (DPA) 2018, which stipulates that monetary penalties should be ‘effective, proportionate, dissuasive’.

When the General Data Protection Regulation (GDPR) first came into force in 2018, the ICO’s vastly increased fining powers (up to £17.5 million or 4% of worldwide turnover), compared to the previous £500,000 maximum under the DPA 1998, created considerable shock and awe. Privacy professionals and data protection lawyers had an unusually attentive C-suite audience as companies raced to achieve compliance in order to avoid falling foul of a regulator armed with such draconian powers.

Since then, there have certainly been some eye-catching and (eye-watering) monetary penalties imposed by the ICO, with British Airways (£20 million), Marriott International (£18.4 million), and Clearview AI (£7.5 million) all on the receiving end of multi-million pound fines – albeit in the first two cases the final amounts were significantly lower than the ICO’s initial proposals.

As evidenced in part by a reduction in the proposed level of fines following representations by the companies involved, the ICO’s approach has always been (and remains under the new guidance) highly fact specific. This has often made it difficult for data controllers, and those advising them, to anticipate what the ICO’s approach will be in individual cases – particularly those not involving corporate behemoths with deep pockets and an ability to pay deterrent fines.

While committed to maintaining a multi-factorial approach and not strictly bound by previous decisions, the ICO has stated in its new guidance that it wishes to achieve ‘broad consistency’ in assessing whether issuing a penalty notice is appropriate.

When will the ICO issue a fine?

When deciding whether to issue a penalty notice the ICO will, as previously, have regard to the factors listed in Articles 83 (2) UK GDPR. In particular, the new guidance highlights three key considerations:

• the seriousness of the infringement or infringements;
• any relevant aggravating or mitigating factors; and
• whether imposing a fine would be effective, proportionate and dissuasive.

The ICO’s assessment of seriousness will include the nature, gravity and duration of the infringement, whether it was intentional or negligent, and the categories of personal data affected.

In terms of mitigating factors, credit will normally be given for active and effective steps promptly taken to minimise the harm caused to data subjects. Cooperation with the ICO and proactive steps to report a cyber security breach to other appropriate bodies (such as the National Cyber Security Centre) will also weigh in mitigation.

Where a data controller brings an infringement to the ICO’s attention of its own volition, and prior to the ICO beginning an investigation, this is more likely to count as a mitigating factor.

Unsurprisingly, a dim view will be taken of prior bad behaviour, particularly if a data breach flows from a failure to learn lessons from a previous incident or to implement remedial steps previously required by the ICO.

Finally, the ICO will step back and consider whether a fine would achieve the touchstone of being ‘effective, proportionate and dissuasive’. The ICO will consider both a ‘specific deterrence’ to an individual data controller (which will factor in its size and financial position), and, pour encourager les autres, a ‘general deterrence’ to deter others from committing the same infringement. Accordingly, large corporate infringers will be particularly at risk of being made an example of.

How will the ICO calculate the level of the fine?

Once the ICO has decided to issue a penalty notice, the amount of the fine will be calculated using a five-step approach. The ICO will:

• first, assess the seriousness of the infringement;

• second, account for turnover (where relevant);

• third, calculate the starting point having regard to the seriousness of the infringement and, where relevant, turnover;

• fourth, make adjustments for any aggravating or mitigating factors; and

• finally, make any necessary adjustment to ensure the fine will be ‘effective, proportionate and dissuasive’.

While the guidance stresses that the methodology is not intended to be ‘mechanistic’ and will require evaluation and judgment in its application, it is to be hoped that it will provide a platform for greater certainty when advising clients on the likelihood and level of any regulatory fine.