The ICO’s new data protection fining guidance

The Information Commissioner’s Office (‘ICO’) new data protection fining guidance, published on March 18, 2024, might sound familiar to veterans of other regulatory fining guidelines. While this guidance doesn’t apparently represent a change of approach by the ICO, it is designed to offer transparency and clarity about how it uses its fining power, and indeed within the guidance there are some important clarifications worth noting. This guidance is a result of a consultation process and replaces previous sections on penalty notices in the ICO Regulatory Action Policy from November 2018.
If you are interested, reading the guidance in full will be valuable, but until you get around to doing that, our main observations are:

• Penalty Issuance Criteria: The ICO will assess the seriousness of an infringement based on its nature, gravity, duration, whether intentional or due to negligence, and the categories of personal data affected. Other considerations include any mitigating actions taken, previous infringements, cooperation with the ICO, and the effectiveness, proportionality, and dissuasiveness of a fine
• Fine Calculation Methodology: A five-step approach will be used, starting with assessing the infringement’s seriousness, considering the organization’s turnover (especially for larger entities), determining a starting point for the fine based on seriousness and turnover, adjusting for aggravating or mitigating factors, and ensuring the fine meets the objectives of effectiveness, proportionality, and dissuasiveness.
• When assessing seriousness and the categories of personal data affected, as well as UK GDPR mandated special category and criminal offence data, the ICO will also pay particular attention to data included in private communications, state issued ID, location data and financial data (amongst other things).
• As well as fines arising out of data breaches, the ICO may also fine in circumstances where a business has not responded adequately to an information request or has not complied with an enforcement notice. The level of fine may also be affected by other types of interaction with the ICO: if action is taken by a business to address and ameliorate any damage done as a result of a data breach before the ICO starts its investigation, this may reduce the level of fine. Similarly, an aggravating factor is likely to be if the ICO finds out about a breach other than from the data controller / processor.

The ICO emphasizes the importance of organisations prioritising data protection, staying informed about regulation updates, conducting regular risk assessments, investing in employee training, implementing robust security measures, engaging legal counsel when necessary, and maintaining thorough documentation of compliance efforts.