On 2 October 2023, the ICO released for consultation new draft guidance on how it decides to issue penalty notices and calculate fines under the UK GDPR and the DPA 2018 (the “draft Fining Guidance”). This follows on from the European Data Protection Board’s (EDPB) Guidelines on the calculation of administrative fines in June 2023 (see our blog post here) and organisations will welcome the sense of alignment between the UK and EU.
While this is the third time in three years that the ICO has published draft guidance on its enforcement powers, given the level of detail and practical guidance in the draft Fining Guidance it is clear that the ICO has considered previous feedback (and criticism). Assuming ‘this is it’ in terms of guidance, the draft Fining Guidance will be key to controllers assessing their risks (and working pre-emptively to mitigate those risks) as it sets out:
- the legal framework that gives the ICO the power to impose fines;
- the circumstances in which the ICO would consider it appropriate to issue a penalty notice; and
- how the ICO calculates the appropriate amount of the fine, including the factors that determine that is effective, proportionate and dissuasive.
Like the EDPB, the ICO has proposed a five-step methodology setting fines, following the factors identified in Article 83 of the UK GDPR. Once an infringement has been found, the starting point remains a percentage of turnover (rather than the nature of the infringement). The ICO therefore provides for:
- suggested percentage ranges (of the legal maximum) as a calculation starting point for infringements falling within three different levels of severity, with guidance provided on each category; and
- further adjustments of this starting penalty amount based on percentage bandings reflecting organisations’ global turnover.
The draft Fining Guidance also follows the EDPB’s approach in its guidelines (and comments on recent EU cases) by making clear that (a) maximum fines will be based on the turnover of the undertaking as a whole (e.g. not just the relevant controller but the wider group of which it is a part); and (b) where the overall conduct has infringed more than one provision of the UK GDPR or Part 3 or Part 4 DPA 2018, the most serious individual infringement will determine the maximum applicable fine but there may be fines for each further infringement from similar or linked processing operations.
As well as setting the starting point and maximum fines, the draft Fining Guidelines set out how the ICO will take into account (i) the seriousness of the infringement; (ii) any relevant aggravating or mitigation factors; and (iii) whether imposing a fine would be effective, proportionate and dissuasive. Importantly for those weighting risk factors, the draft Fining Guidance notes that the ICO’s assessment of the level of damage suffered by data subjects will be limited to what is necessary to evaluate the seriousness of the infringement and typically would not include the harm suffered either in aggregate or by specific data subjects, and is also without prejudice to any court decisions in respect of compensation for damage suffered (so controllers cannot assume there will not be a ‘double’ payout).
Helpfully, while accepting it will not formally be bound by past decisions, the ICO does promise to ensure there is broad consistency in the approach taken when assessing whether it is appropriate to issue a penalty notice. Taken with the clear attempts to align with the EDPB’s approach (and decisions), the draft Fining Guidance (if adopted) should provide data controllers and processors with greater clarity as to when and how the ICO will calculate and impose fines (and risk-weighting of preventative measures).
The consultation closes on 27 November 2023 and the ICO will then consider the responses received and take these into account in deciding whether to make any changes to the draft Fining Guidelines.