On 18 March, the ICO published new guidance on how it decides to issue penalties and calculate fines in relation to breaches of the UK GDPR and Data Protection Act 2018. 

It replaces previous sections in the Regulatory Action Policy from back in 2018. The guidance is substantial and details step by step what the ICO takes into consideration, whilst making it clear that it will always consider the particular circumstances of each breach. It will serve as a useful guide to organisations to better understand and quantify any monetary enforcement the ICO may take in a particular case

A few key points covered include:

• Considerations when issuing a penalty notice may include the seriousness, nature and duration of the breach, what personal data is affected and whether there was any intention or negligence;
• Details on the maximum fining amounts and clarity on what is classed as an undertaking (which is generally broad);
• If there is more than one breach caused by the same processing activity then the overall fine is still subject to the maximum statutory amount that applies to the most serious breach; and
• The methodology in which it’ll calculate a fine is a 5 step assessment of: (1) the seriousness of the breach; (2) considering turnover if an undertaking; (3) calculating the starting point based on (1) and (2); (4) taking into account aggravating or mitigating factors; and (5) finally, any adjustments to ensure it is effective, proportionate and dissuasive.

In setting out this guidance the ICO fulfils its statutory obligation to provide information about how it issues penalties with the overall aim to provide greater certainty and clarity on how it reaches decisions.  We’ve seen increasing enforcement from the ICO and so this guidance should be helpful to organisations to better understand the decision making and thought process behind  any potential enforcement.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.