ICO issues new guidance on penalty notices

James Quartermaine takes a closer look at the new guidance from the ICO
The Information Commissioner’s Office (ICO) has recently updated its Regulatory Action Policy to include new guidance on how the Commissioner will exercise his or her discretion to issue a penalty notice and how the amount of any fine will be determined.
Data controllers and processors will be relieved to learn that in an Olympic year the ICO has resisted any temptation to adopt the ‘Higher, Faster, Stronger’ motto of its near namesake the International Olympic Committee (IOC). Instead, as the guidance makes clear, the ICO will continue to approach the questions of when to impose fines, and what amount, on the basis of the pragmatic but decidedly un-Olympian values of Section 155 of the Data Protection Act (DPA) 2018, which stipulates that monetary penalties should be ‘effective, proportionate, dissuasive’.
When the General Data Protection Regulation (GDPR) first came into force in 2018, the ICO’s vastly increased fining powers (up to £17.5 million or 4% of worldwide turnover), compared to the previous £500,000 maximum under the DPA 1998, created considerable shock and awe. Privacy professionals and data protection lawyers had an unusually attentive C-suite audience as companies raced to achieve compliance in order to avoid falling foul of a regulator armed with such draconian powers.
Since then, there have certainly been some eye-catching and (eye-watering) monetary penalties imposed by the ICO, with British Airways (£20 million), Marriott International (£18.4 million), and Clearview AI (£7.5 million) all on the receiving end of multi-million pound fines – albeit in the first two cases the final amounts were significantly lower than the ICO’s initial proposals.
As evidenced in part by a reduction in the proposed level of fines following representations by the companies involved, the ICO’s approach has always been (and remains under the new guidance) highly fact specific. This has often made it difficult for data controllers, and those advising them, to anticipate what the ICO’s approach will be in individual cases – particularly those not involving corporate behemoths with deep pockets and an ability to pay deterrent fines.
While committed to maintaining a multi-factorial approach and not strictly bound by previous decisions, the ICO has stated in its new guidance that it wishes to achieve ‘broad consistency’ in assessing whether issuing a penalty notice is appropriate.
When will the ICO issue a fine?
When deciding whether to issue a penalty notice the ICO will, as previously, have regard to the factors listed in Articles 83 (2) UK GDPR. In particular, the new guidance highlights three key considerations:
- the seriousness of the infringement or infringements;
- any relevant aggravating or mitigating factors; and
- whether imposing a fine would be effective, proportionate and dissuasive.
The ICO’s assessment of seriousness will include the nature, gravity and duration of the infringement, whether it was intentional or negligent, and the categories of personal data affected.

.jpg&w=3840&q=60)

.jpg&w=3840&q=60)









