ICO Publishes New Guidance on Calculation of Fines
On 18 March 2024 the Information Commissioner’s Office (ICO) published its latest guidance on its approach to calculating fines (the Guidance). This follows an extensive consultation period that took place between October and November 2023.
With the aim of offering greater clarity and improved transparency to organisations, the Guidance outlines the ICO’s ability to issue (and its methodology for calculating) fines resulting from breaches of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
How is the Guidance structured?
The Guidance comprises three sections:
- Statutory background: which provides a “refresh” of the overarching framework surrounding the ICO’s enforcement powers, including the infringements under UK GDPR and the DPA, the maximum amount of a fine, restrictions on issuing fines, and the ICO’s approach to multiple infringements.
- Circumstances in which the ICO consider it appropriate to issue a fine: including the seriousness of the breach, any relevant factors and the effectiveness, proportionality, and dissuasiveness of a fine.
- Calculating fines: which illustrates the ICO’s ‘five-step’ approach to calculating the amount of a fine.
How does the ICO calculate fines?
In a similar vein to the EDPB guidelines, the Guidance explains that where the ICO has deemed it appropriate to impose a fine, it will calculate the amount of the fine by following a five-step methodology:
- Assessment of the seriousness of the infringement.
- Accounting for turnover (where the data controller or data processor is part of an undertaking).
- Calculating the starting point having regard to the seriousness of the infringement.
- Adjustment to take into account any aggravating or mitigating factors.
- Assessment of whether the fine is effective, proportionate, and dissuasive.
The Guidance also explains that the ICO may, in its sole discretion (and in exceptional circumstances), reduce a fine where an organisation is unable to pay an imposed fine due to financial hardship. In such a situation, the ICO may grant a reduction where the organisation can demonstrate that their financial position merits such relief.
Our views
The Guidance, which imparts greater certainty regarding how the regulator forms and can enforce its decisions surrounding fines will no doubt be welcomed by organisations.
It should be noted, however, that the ability to impose fines is only one of many tools at the ICO’s disposal, some of which may have a far greater impact on organisations.
Read the other topical articles from our Spring Data Protection Update:
Get in touch
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Related expertise
Other related news & articles
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.