The ICO Publishes Guidance on How It Calculates Data Protection Fines

Data protection
Written By Nathalie Pouderoux

The ICO has published new guidance outlining how it calculates data protection fines. The aim is to provide more transparency and clarity on how companies will be fined if they breach the GDPR.

What Will the ICO Take Into Account When Deciding the Amount of a Penalty?

When determining the amount of a penalty, the ICO considers various factors outlined in the UK GDPR and the Data Protection Act 2018. These factors include the nature, gravity, and duration of the infringement, alongside assessing whether it was intentional or negligent. 

The ICO also examines efforts made by the controller or processor to mitigate damage to data subjects, as well as their degree of responsibility and any previous infringements. Cooperation with the Commissioner, adherence to codes of conduct or certification mechanisms, and notification of the infringement are also taken into account. Additionally, compliance with previous orders and any other aggravating or mitigating factors, such as financial gains or losses, are considered. Overall, the ICO aims to ensure that penalties imposed are effective, proportionate, and dissuasive in each unique case.

What Is the Process of Calculating GDPR Breaches?

The process of calculating a fine for a GDPR breach involves a structured five-step approach. Firstly, the seriousness of the infringement is assessed. Then, turnover is taken into account if the controller or processor is part of an undertaking. After that, the starting point for the fine is calculated, considering both the seriousness of the infringement and, if applicable, the turnover of the undertaking. Following this, adjustments are made to reflect any aggravating or mitigating factors. Finally, the fine is evaluated to ensure it is effective, proportionate, and dissuasive. 

Serious Assessment

When assessing the seriousness of an infringement for GDPR purposes, the Commissioner follows a structured approach to determine an appropriate starting point for the fine. This starting point is based on categorising the infringement according to its degree of seriousness and applying a percentage of the relevant statutory maximum. Three categories are used: high, medium, and low degrees of seriousness, each with corresponding percentage ranges of the legal maximum. 

The assessment considers factors such as the nature, gravity, and duration of the infringement, as well as whether it was intentional or negligent, and the categories of personal data affected. Generally, the more serious the infringement, the higher the starting point within the relevant category. The assessment is expressed as a percentage of the relevant statutory maximum, ensuring consistency in determining the starting point. This method enables the Commissioner to establish a fair and proportional approach to fines, taking into account the specific circumstances of each case. See the breakdown of the fines based on seriousness here

Effective, Proportionate and Dissuasive

When determining fines for GDPR breaches, the Commissioner aims for penalties that are effective, fair, and discourage future violations. This involves carefully assessing each case to ensure the fine encourages compliance with data protection laws and appropriately penalises the breach. 

The Commissioner considers whether the fine is enough to deter the offending party from repeating the offense, taking into account its size and financial status. Additionally, fines may be increased to deter others from similar violations in the future. 

Proportionality is also crucial, with fines tailored to fit the severity of the breach and other relevant factors. While financial difficulties may be considered, they cannot be the sole reason to avoid fines, as this would undermine the purpose of the law. This guidance ensures a consistent yet flexible approach to imposing fines, promoting accountability and deterrence in data protection.

What Are the Maximum Fines for GDPR Breach?

The maximum fines for GDPR infringements vary depending on whether the controller or processor is considered an 'undertaking' (such as a subsidiary of a parent company). For standard cases, the maximum fine stands at £8.7 million. 

However, for undertakings, the fine is calculated as the higher of £8.7 million or 2% of the total worldwide annual turnover in the preceding financial year. In more severe cases, the maximum fine increases to £17.5 million, or the higher of £17.5 million or 4% of the undertaking's total worldwide annual turnover. 

Notably, these percentage-based calculations apply only when an undertaking's total worldwide annual turnover exceeds £435 million for the standard maximum amount or £437.5 million for the higher maximum amount.

Comparing EDPB and ICO Guidelines

Both the European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO) have established guidelines for determining the severity of fines imposed on organisations for GDPR infringements. 

Post-Brexit, the UK GDPR remains aligned with the EU GDPR, ensuring consistency in the maximum fines and factors considered for issuing penalty notices. Both the EDPB and ICO guidelines emphasise factors such as the nature, scope, and purpose of processing, the number of data subjects affected, and the level of damage suffered. Notably, both entities consider innovative technology applications, automated decision-making, and the processing of biometric or genetic data as high-risk operations warranting increased scrutiny.

Both the EDPB and ICO guidelines stress the significance of assessing the gravity of infringements. The ICO, like the EDPB, evaluates factors such as the imbalance of power between data subjects and controllers, the involvement of children's or vulnerable people's data, and the potential harm caused by the infringement. Notably, the ICO identifies specific types of processing operations and potential harms, providing insights into areas of enforcement priority.

The ICO and EDPB guidelines recognise that data subjects can suffer different types of harm, such as physical, economic, reputational, or psychological. They understand that quantifying harm isn't always essential, but they acknowledge that harm can have broader societal impacts, especially when many data subjects are affected.

The ICO aims for consistency in issuing penalties but also stays flexible, meaning it isn't always tied to past decisions. This approach helps it adjust to changing regulations while still keeping some continuity.

While the EDPB and ICO guidelines share many similarities in determining GDPR fines, subtle differences exist, reflecting specific regulatory contexts and enforcement priorities. Organisations must carefully consider these factors to ensure compliance and mitigate the risk of significant penalties. 

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Nathalie Pouderoux
Previous

Germany Considers Banning TikTok Over Privacy Concerns
Next

The UN Agrees on Global AI Rules