New ICO fining guidance and an update on the ICO's enforcement approach

The sheer number of cases facing potential enforcement coupled with the shifting versions of draft guidance have, in recent years, made it hard to predict what (if any) action the ICO would take and when (if at all) an investigation might be concluded. Thankfully, the ICO has published new data protection fining guidance, alongside a commitment to be “more disciplined and focused and deliver outcomes more quickly”. 

The new guidance was published on 18 March, following a consultation last October (as discussed in our blog). It sets out in detail the ICO’s procedure for issuing and calculating fines under the UK GDPR and DPA 2018 and, by replacing and supplementing sections of the ICO’s 2018 Regulatory Action Policy, is intended to provide greater transparency to organisations and equip the regulator with a framework to deliver faster and more tailored enforcement action. As Commissioner Edwards recently said, this is meant to “provide the agility that has been missing”.

The guidance is accompanied by ICO comments on responses to the consultation. This provides colour to a number of the key changes made in the final draft. So, while the final guidance mirrors the draft version in many ways, its operation should be clearer. Four areas to note:

Fining the ‘undertaking’ 

Building on the concept of basing maximum fines on the turnover of the ‘undertaking’ as a whole (consistent with recent EU caselaw), the ICO has clarified that a parent company will be considered to have a ‘decisive influence’ over a wholly-owned subsidiary (and therefore held responsible for its conduct) when it has influence over the way the subsidiary processes personal data or provides goods or services to data subjects. 

In the consultation response, the ICO argues that this is both reasonable and proportionate, as otherwise a parent company could seek to artificially lower a fine by minimising the turnover for the group entity identified as a controller. The guidance also sets out that the ICO is generally unlikely to accept a financial hardship fine reduction request from a subsidiary from a broader undertaking if its parent is financially sound, meaning there is little scope for organisations to suppress or ‘let go’ of a controller subsidiary for tactical purposes. 

It is still not fully clear how the ICO intends to apply this reasoning consistently to multinational conglomerate groups or situations in which there are distinct sub-groups post-M&A activity. How soon after acquisition is the buyer really in control? In any event, how best to structure an ‘undertaking’ will continue to be a factor for organisations to consider when planning data localisation and operations. 

Multiple infringements

Where processing operations found to infringe more than one provision of the UK GDPR / DPA 2018 are:

1. ‘the same or linked’, the ICO may impose a fine amount for each infringement, provided that the sum of those amounts does not exceed the statutory maximum; and 
2. not ‘the same or linked’ (such as where one infringement relates to processing that led to a security breach; and another relates to processing involving transparency failings), the ICO may impose separate fines for each one, with each individually subject to the statutory maximum. 

In either case, the ICO may include these infringements in the same penalty notice.

Aggravating and mitigating factors

The updated guidance clarifies that the ICO will take into account mitigating actions which the controller/processor undertakes after they have notified a personal data breach to the regulator, as long as such measures have been implemented in a timely manner. This exemplifies the ICO’s commitment to a pragmatic approach to enforcement; doing something about a breach will always be considered more favourably than doing nothing. 

Information notices

The ICO also doubles down in the guidance and consultation response on its ability to use statutory information notices and information gathering powers, meaning that even where the regulator faces barriers to imposing financial penalties, infringing organisations can expect to be faced with enforcement action via alternative means. This aligns with an EU legal opinion delivered on 11 April which emphasises that data protection authorities must retain discretion to decide the most appropriate form of enforcement action. 

The guidance hopefully heralds the start of a new, more focused era of enforcement with clearer (and quicker) outcomes.