The Information Commissioner's Office (the ICO) has recently published new guidance for issuing fines for data protection breaches. It provides a detailed framework for determining the level of fines that should be issued, considering factors such as the severity of the breach, the number of people affected and the level of co-operation from the organisation in question.
The guidance also explains the legal framework that gives the ICO the power to impose fines, how the ICO will approach key questions such as identifying the wider 'undertaking' or economic entity of which the controller or processor forms part, and the methodology the ICO will use to calculate the appropriate amount of the fine.
The ICO is the UK's regulator for data protection and privacy, with the power to impose fines on organisations that violate data protection laws. The fines are designed to be a deterrent to organisations that fail to protect personal data, with the maximum fine for a serious breach being 4% of the organisation's global turnover or £17.5 million, whichever is greater.
What does the ICO’s new fining guidance state?
The new guidance takes into account significant changes in the data protection landscape, including the introduction of the General Data Protection Regulation in 2018 (now known as the 'UK GDPR'). It introduces a two-stage process for determining fines, assessing the severity of the breach and the organisation's culpability.
The severity of the breach is assessed by considering the impact that the breach has had on individuals, while the organisation's culpability is assessed by considering factors such as the organisation's awareness of the breach, its compliance history and its level of responsibility for the breach.
The guidance also sets out a number of aggravating and mitigating factors that the ICO will take into account when determining the level of the fine. Aggravating factors include the organisation's failure to take appropriate technical and organisational measures to protect personal data, while mitigating factors include the organisation's prompt and effective action to mitigate the impact of the breach.
How much could an organisation be fined for breaching data protection?
The amount of the fine that the ICO can impose for an infringement of the UK GDPR is subject to a statutory maximum.
There are two levels of maximum fine – the standard maximum amount and the higher maximum amount, depending on the statutory provision that has been infringed. The maximum fine amounts for each level differ based on whether the controller or processor is an 'undertaking'.
The standard maximum amount is £8.7 million or 2% of the undertaking's total worldwide annual turnover, whichever is higher, while the higher maximum amount is £17.5 million or 4% of the undertaking's total worldwide annual turnover, whichever is higher.
The applicable statutory maximum amount is only calculated by reference to a percentage of turnover where an undertaking's total worldwide annual turnover exceeds certain thresholds.
What is the process by which the ICO issues fines?
The ICO can impose fines for a wide range of infringements under the UK GDPR and Data Protection Act 2018 and will assess each case individually before deciding whether to issue a penalty notice.
It will consider the seriousness of the infringement, any relevant aggravating or mitigating factors, and whether imposing a fine would be effective, proportionate, and dissuasive. The assessment is fact-specific and will depend on the circumstances of each individual case.
If the ICO decides to issue a penalty notice, the methodology for determining the fine amount will be applied. It may also require corrective measures in addition to or instead of a fine.
If it decides to issue a penalty notice, the fine amount will be calculated by applying a five-step approach:
- Assess the seriousness of the infringement
- Accounting for turnover (where the controller or processor is part of an undertaking)
- Calculating the starting point, taking into account the seriousness of the infringement and, where relevant, the turnover of the undertaking
- Adjust the fine amount to take into account any aggravating or mitigating factors
- Assess whether the fine is effective, proportionate, and dissuasive.
What does the ICO’s new fining guidance mean for public bodies?
The new guidance has significant implications for businesses and other organisations.
It emphasises the importance of implementing effective data protection measures, and having a clear and effective breach response plan in place.
Non-compliance with the new guidance can result in significant fines and reputational damage. It is therefore essential that organisations take steps to protect personal data and comply with the new guidance.
The guidance also provides an opportunity for organisations to review their data protection measures and ensure they are up to date and effective.
By doing so, they can minimise the risk of fines and protect the personal data of both their customers and employees.
Summarising the ICO’s new fining guidance
In conclusion, the ICO's new fining guidance is an important development for public bodies.
It provides a detailed framework for determining the level of fines that should be issued for data protection breaches and emphasises the importance of implementing effective data protection measures.
Organisations must take data protection seriously and comply with the new guidance. Failure to do so can result in significant fines and reputational damage.
By implementing effective data protection measures, and having a clear and effective breach response plan in place, organisations can minimise the risk of fines and protect the personal data of their customers and employees.
Discover more
You may be interested in...
Legal Update - DORA
EU Digital Operational Resilience Act: Countdown to comply with the January 2025 deadline
Press Release
Jeanne Kelly recognised in the list of Top 100 people in Irish Tech by the Business Post
Legal Update
Artificial intelligence in insurance: Targeted marketing as a quasi-underwriting function
Opinion - Maternity services
New online system streamlines maternity services at The University Hospitals of Derby and Burton NHS Foundation Trust
On-Demand - Shared Insights
Shared Insights Data: Strategies for handling cyber attacks and data breaches
Legal Update
Mandatory cybersecurity requirements for businesses in the IOT supply chain
Legal Update
A reflection of FIMA Connect 2024
On-Demand - Shared Insights
Duty of Candour review: Submission to the Department of Health and Social Care
Legal Update
Economic Crime and Corporate Transparency Act 2023 – impact of changes implemented on 4 March 2024
Press Release
‘Privacy by design’ approach will help health and care organisations gain public trust in using technology as ICO publishes new guidance
Legal Update
Understanding the ICO's new fining guidance
Legal Update
ICO consultation on accessing care records: A legal perspective
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Legal Update
Artificial intelligence – shaping a sustainable future
Press Release
Spring Budget 2024: Browne Jacobson reaction
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
On-Demand - Shared Insights
Shared Insights: Sexual safety in the workplace — how leaders can help to create a sexual safety culture
Legal Update
Progress on the Automated Vehicles Bill
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
The rise of AI in construction
Legal Update
Government foreshadows significant savings for public bodies as part of data protection overhaul
Legal Update
ICO consultation on transparency in health and social care
Legal Update
How to mitigate risk in disputes arising from AI use in technology projects
Opinion
Monitoring workers – ICO guidance
Legal Update
ICO consultation on fertility tracking apps
Published Article
UK: Legal issues with deepfakes
Legal Update
New guidance for employers on subject access requests published by the ICO
Legal Update
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Press Release
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Protecting children and their data in the online environment
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.