The Information Commissioner’s Office (“ICO”) has published new guidance setting out how it decides to issue penalties and calculate fines.

The Guidance is a detailed document, which not only sets out the five-step approach for calculating the amount of any fine, but also the circumstances in which it would be appropriate to issue a penalty notice in the first place. In doing so, it builds on the factors that are already outlined in the relevant legislation (such as Article 83(2) UK GDPR) to which the Commissioner must have regard, including: the nature, gravity and duration of the infringements; any action taken to mitigate damage suffered by data subjects; and the categories of personal data affected by the infringement.

The Guidance states that each case will be assessed on an individual, fact-specific basis before deciding if it is appropriate to issue a penalty notice as well as, or instead of, other corrective measures (such as imposing an enforcement notice). Whilst the Commissioner is not bound by previous decisions, the ambition is to ensure that there is “broad consistency” when assessing whether to issue a penalty notice.

Factors the Commissioner will consider when determining whether to issue a penalty notice

The Guidance identifies three factors that the Commissioner will consider when determining whether to issue a penalty notice, with detailed guidance on each:

(1) The seriousness of the infringement

The Commissioner will assess the nature, gravity and duration of the infringement, considering the context and characteristics of the processing by the controller or processor. If the nature of the processing is likely to result in high risk to data subjects (such as automated decision-making or the use of biometric or genetic data) the Commissioner may give more weight to this. The same is true if the scale and scope of processing is particularly large, if there is a clear imbalance of power between data subjects and controller, or the processing involves the personal data of children or vulnerable people.

The seriousness of any infringement will also be gauged by reference to the number of data subjects affected, which includes not only those actually affected by the infringement, but also the number of data subjects potentially affected. Equally relevant is the duration of the infringement, the category/ies of personal data affected, and the level of damage suffered (physical, material or non-material) both by individual people and to society: the Guidance points out that an infringement could affect a large number of people in a relatively minor way, but “may result in a high degree of damage in aggregate and give rise to wider harm to society”.

The Commissioner will also consider whether the infringement was intentional or negligent, with the former giving rise to a higher likelihood of a penalty notice. The Guidance suggests that the Commissioner may conclude that an infringement is intentional where senior management authorised the unlawful processing or a controller/processor carries out the processing despite being advised otherwise or in contravention of existing internal policies.

(2) Any relevant aggravating or mitigating factors

Having assessed the seriousness of the infringement, the Controller will ask what has been done (if anything) by the controller or processor to mitigate the damage suffered by data subjects, asking not only if measures were taken, but also if they in fact had any effect. Also relevant is whether the measures were implemented prior to the Commissioner beginning an investigation. On a similar note, the Commissioner may view a controller or processor bringing an infringement to the Commissioner’s attention of its own volition as a mitigating factor. Equally, notwithstanding that the ordinary duty of cooperation is required by law, the Commissioner may view cooperation with it as a mitigating factor should it enable the enforcement process to be conducted significantly more quickly or effectively, or significantly limit the harmful consequences for people’s rights and freedoms that might otherwise have occurred. The same is true as regards other appropriate bodies in the context of a cyber security breach: if a controller or processor pro-actively notifies such a body (for example the National Cyber Security Centre) this may be a mitigating factor.

The Commissioner will have regard to the extent to which any previous infringements by a controller or processor may be an aggravating factor, with previous infringements concerning a similar subject matter or arising in a similar manner given particular weight. Additional aggravating factors may also be the failure by a controller or processor to comply with measures previously ordered under Article 58(2) UK GDPR concerning the same subject manner, failing to comply with an approved code of conduct, or deriving economic or financial benefit as a result of the infringement.

(3) Effectiveness, proportionality, and dissuasiveness

The Guidance recognises that there is a degree of overlap between the concepts of effectiveness, proportionality, and dissuasiveness, all of which are contained in section 155 DPA 2018. It states that the Commissioner will first consider whether a penalty notice is effective and dissuasive (i.e. it ensures compliance with data protection, provides an appropriate sanction, and/or deters future non-compliance) before considering whether it is proportionate. Proportionality will be gauged by reference to the seriousness of the infringement, the harm or other impact on data subjects, and the controller or processor’s size and financial position, with the Guidance recognising that “in considering whether issuing a penalty notice and the fine amount is effective, proportionate and dissuasive, the Commissioner will have regard to the desirability of promoting economic growth… However, the Commissioner is mindful that the growth duty does not legitimise non-compliance with data protection law. Non-compliant activity or behaviour undermines protections to the detriment of people as both data subjects and consumers. It also harms the interests of legitimate businesses that are working to comply with data protection law, which disrupts competition and acts as a disincentive to invest in compliance”.

Calculation of the appropriate amount of the fine

The Guidance sets out a five-step approach to calculating the amount of any fine:

• Assessment of the seriousness of the infringement;
• Accounting for turnover (where the controller or processor is part of an undertaking);
• Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking;
• Adjustment to take into account any aggravating or mitigating factors; and
• Assessment of whether the fine is effective, proportionate and dissuasive.

Whilst the Guidance states that the five-step approach is not intended to be “mechanistic” and that the overall assessment of the appropriate fine involves “evaluation and judgement, taking into account all the relevant circumstances of the individual case”, the Guidance nonetheless contains a series of helpful tables which give an indication of how the level of fines may be arrived at, broken down by the seriousness of the infringement and the turnover of a company.

The Guidance can be read in full here.