The ICO has published draft guidance around how it will flex its regulatory muscles when enforcing data privacy legislation in the UK. The draft statutory guidance, published on 1 October, will (once finalised) sit alongside the ICO’s Regulatory Action Policy and effectively complete the ICO’s comprehensive public mission statement.
Much of the information has already been published in some shape or form by the ICO, such as information around how its various enforcement notices and orders will actually work in practice. However, there is some new and interesting information, particularly in the shape of the ICO's "nine-step mechanism" for calculating proposed monetary penalties. Those nine steps are as follows:
- Assessment of seriousness
- Assessment of degree of culpability
- Determination of turnover
- Calculation of an appropriate starting point
- Consideration of relevant aggravating and mitigating features
- Consideration of financial means
- Assessment of economic impact
- Assessment of effectiveness, proportionality, dissuasiveness
- Early payment reduction
More interestingly still, the ICO showed its hand when it comes to calculating the specific starting point for a fine (i.e. Step 4 of the 9-step mechanism). There is essentially a broad range of monetary penalty starting points on the ICO’s matrix, ranging all the way from 0.125% of the relevant turnover (for a low seriousness/low degree of culpability breach) to 3% of the relevant turnover (for a very high seriousness/intentional degree of culpability breach). This sort of information has not been seen before, and, while there will still be the case-specific assessment of aggravating and mitigating factors to apply after that, this starting point will undoubtedly prove extremely useful to any organisation facing the daunting prospect of a monetary penalty notice from the ICO.
The final nugget of information that the ICO included in its guidance (and one which will be of equal interest to organisations subject to the ICO’s jurisdiction) is how, when calculating a fine or generally exercising its regulatory functions, it must consider the desirability of promoting economic growth. This element of the ICO's role, which stems from the 2015 Deregulation Act (described in its introductory text as an act "to make provision for the reduction of burdens resulting from legislation for businesses") should not be forgotten, particularly in the current climate.
"The ICO’s approach is designed to help create an environment within which data subjects are protected, while ensuring business is able to operate and innovate efficiently in the digital age." Draft ICO regulatory action guidance