On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).
The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance will subsequently be laid before Parliament for approval.
The guidance outlines out a “nine-step mechanism” for calculating proposed monetary penalties, set out as follows:
|1.||Assessment of seriousness considering relevant factors under section 155 DPA 2018||The considerations applied here are well known and replicate those of Article 83(2) of the GDPR. For example, the nature, gravity, and duration of the infringement, any action taken to mitigate the damage, the level of cooperation with the ICO, the categories of personal data, previous data protection failures, etc.|
|2.||Assessment of degree of culpability of the organisation concerned||The degree of culpability of the organisation will be considered, i.e. the level of fault by the controller or processor. This will be determined by the ICO’s assessment of the organisation’s technical and organisational measures. The ICO will also take into account the intentional or negligent character of the incident.|
|3.||Determination of turnover||The ICO will review the relevant accounts and obtain expert financial, or accountancy advice if required, to determine the amount of turnover. In circumstances where turnover or equivalent is minimal, the ICO will give greater weight to factors considered in the other steps.|
|4.||Calculation of an appropriate starting point||The ICO will then agree a starting point for the calculation of the penalty (using a matrix – see Image 1) based on the seriousness of the breach and the degree of culpability. The appropriate percentage is then applied to the turnover or equivalent (as determined at step 3).
· A breach of seriousness level ‘low’ combined with the degree of culpability being ‘low/no’ could result in the appropriate percentage of 0.125% being applied to the relevant turnover.
· A breach of seriousness level ‘very high’ combined with the degree of culpability being ‘intentional’ could result in the appropriate percentage of 3% being applied to the relevant turnover.
|5.||Consideration of relevant aggravating and mitigating features||The ICO will then consider any other aggravating and mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach. This could cause an increase or decrease of the Step 4 figure, dependent on the circumstances.|
|6.||Consideration of financial means||The ICO will then consider the likelihood of the organisation being able to pay the proposed penalty and whether it may cause undue financial hardship. This will be particularly important if an organisation’s ability to pay is unclear or there has been a recent change in its financial, trading, or competitive status.|
|7.||Assessment of economic impact||The ICO must consider the desirability of promoting economic growth when exercising its regulatory functions and must ensure that it only takes regulatory action when it is needed. Where appropriate, it must consider any economic impact on the wider sector.|
|8.||Assessment of effectiveness, proportionality and dissuasiveness||The ICO will ensure that the amount of the fine proposed is effective; proportionate; and dissuasive and will adjust it accordingly.|
|9.||Early payment reduction||The ICO will reduce the monetary penalty by 20%, if they receive full payment of the monetary penalty within 28 calendar days of sending the notice.|
Whilst only in draft form, this guidance provides welcome clarity as to the ICO’s methodology when calculating fines.
Step 4 of ‘calculating an appropriate starting point’ is novel and will be particularly helpful for organisations in charting their incident and factors specific to them, against the ICO’s sliding scale matrix.
Step 7 further seeks to provide some comfort in the current economic circumstances that the ICO will also have to consider the desirability of promoting economic growth and impact on the wider sector when calculating any penalty.
Our blog post on Germany’s model for GDPR fines can also be found here.
Image 1 – Step 4 Matrix