ICO issues new guidance on data protection fines

The Information Commissioner's Office (ICO) has issued new guidance on data protection fines, published on the 18th of March 2024 following an earlier consultation process. This guidance is aimed at revealing the ICO's approach to levying fines, which is crucial for upholding public trust in the regulation of personal data.

The comprehensive guidance outlines how the regulator will handle breaches of data protection laws, covering various key aspects, including:

• Details regarding the ICO's authority to issue penalty notices.
• Factors taken into consideration by the regulator when determining the issuance of penalty notices.
• The ICO's five-step methodology for determining appropriate fine levels.

Of particular interest to organisations processing personal data will be the methodology for calculating fines. Businesses often struggle with uncertainty regarding the potential fine amounts for specific breaches.

The ICO's guidance clarifies that the regulator will:

• Assess the seriousness of the infringement.
• Account for turnover, where the controller or processor is part of an undertaking.
• Calculate the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking.
• Adjust to consider any aggravating or mitigating factors.
• Assess whether the fine is effective, proportionate, and dissuasive.

Understanding the ICO's methodology for imposing fines is crucial for businesses, particularly considering the substantial fines that can be imposed for non-compliance with UK data protection laws. The ICO holds a range of enforcement powers which include imposing penalties up to a maximum of £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. The standard maximum for an infringement of other provisions, such as administrative requirements of the legislation, is £8.7 million or 2% of the total annual global turnover – either amount could cripple many organisations.

This guidance assumes importance against the backdrop of ongoing news coverage concerning historical and alleged data breaches that involve high-profile businesses, government agencies, famous football clubs and even the Royal Family.

Tim Capel, the ICO's Director of Legal Services, emphasised the significance of the guidance, stating:

We believe the guidance will provide certainty and clarity for organisations. It outlines how we arrive at one of our most crucial decisions as a regulator by explaining when, how, and why we would levy fines for breaches of the UK General Data Protection Regulation or Data Protection Act 2018.

Becky White, Senior Data Protection & Privacy Solicitor comments:

In light of the ICO's updated guidance, organisations should review their approach to data protection compliance and ensure it is fit for purpose. They should also be aware that the ICO publishes details of enforcement action, which can impact a business's reputation and lead to devastating financial consequences that many may find impossible to recover from.

The ICO website provides further guidance on their fines.

To ensure your business complies with UK GDPR and data protection laws, consider our Data Protection Health Check service, which provides a clear action plan, training, and support for your business. Alternatively, reach out to one of our experienced Data Protection Solicitors, who are available to help your business.