Following the threat of significantly larger penalties since 2018 (the enhanced fines under the General Data Protection Regulation as compared to the legislation that went before), companies have asked us time and time again, “what is my financial risk for data protection non-compliance in the UK?”

The publication of the Information Commissioner Office’s new fining guidance offers some clarity on this question; including a published methodology the ICO will use to calculate any fine to impose.

We are pleased to have contributed to the shaping of aspects of the new guidance following our consultation submission, which has been published here.

About the guidance

In accordance with its statutory duty, the Information Commissioner’s Office (“ICO“) has published new data protection fining guidance (the “Guidance“) with the intention of mapping out how regulatory enforcement fines are to be calculated going forward. Whilst the headline fines under the GDPR are well understood by the market, the methodology previously deployed by the ICO was less clear and it is only following the passage of time that trend analysis could be undertaken on the ICO’s enforcement actions.

The new guidance provides welcome detail to help organisations place more confidence in their actions and the potential consequences of data protection risk decisions that may be taken.

When would a fine be considered?

The ICO has confirmed that when deciding whether to issue a penalty notice, it will review the facts of each case and consider:

  1. the seriousness of the infringement or infringements;
  2. any relevant aggravating or mitigating factors; and
  3. whether imposing a fine would be:
    1. effective;
    2. proportionate; and
    3. dissuasive.

Further details on each circumstance are set out below.

A. Seriousness: this is determined by a consideration of a number of factors broken down as follows.

  1. The nature (e.g. whether the standard or higher maximum fine is applicable?), gravity (i.e. the nature, scope and purpose of processing, the number of data subjects involved, and level of damage suffered) and duration of the infringement.
  2. Whether it was intentional or negligent.

    • Intentional: senior management authorised the unlawful processing; or the processing was undertaken despite advice about the risks involved, or with a disregard of its internal policies.
    • Negligent: whether a controller/processor has breached the duty of care required by law. Any assessment of a breach would include assessing evidence of the following factors:

      • failing to create data protection policies;
      • failing to read and abide by its existing data protection policies (or, where relevant, with a code of conduct or certification applicable);
      • human error, particularly where the person (or people) involved had not received adequate training on data protection risks;
      • failing to check for personal data in information that is published or otherwise disclosed; or
      • failing to apply technical updates in a timely manner.
  3. The categories of personal data affected. The ICO will consider infringements relevant to the processing of special category data, criminal convictions and offences data, and personal data falling within the definitions of ‘sensitive processing’, as particularly serious. The ICO also considers data categories likely to cause damage or distress to data subjects as particularly serious, such as: location data, private communications (intimate or confidential information), passport or driving licence details, or financial data.

The ICO acknowledges that assessing these various factors involves a degree of repetition, which it believes reflects the way the legislation is drafted and the fact that it needs to consider all relevant factors when: (i) deciding whether to impose a fine; and (ii) determining the amount of the fine.

B. Relevant aggravating or mitigating factors: Once the ICO has assessed the seriousness of the infringement, it will then consider whether there any aggravating or mitigating factors.

  • Mitigation – the ICO will be looking for evidence of the controller/processor having tried to effectively mitigate the harmful consequences of the infringement on the data subjects involved and the level of impact which that action had on the data subjects. The ICO will also give due consideration to measures in place prior to any investigation or the ICO otherwise becoming aware of the infringement.
  • Degree of responsibility – the ICO will consider the extent of what the controller/processor did considering its size and resources; and the nature and purpose of the processing. The ICO will be assessing any shared responsibility between controllers or between controllers and processors.
  • Previous infringement or measures previously ordered – the ICO will give greater weight to infringements which have been of a similar nature or infringements which occurred recently. The ICO will also have regard for compliance measures it has previously ordered concerning the same subject-matter.
  • Cooperation with the ICO – the starting point for cooperating is that controllers/processors are expected to cooperate with the ICO and should respond to requests for information where possible, therefore, performing the minimum is unlikely to be seen as a mitigating factor by the ICO. However, cooperating in a way that enables the enforcement process to be concluded more effectively; or significantly limits the harmful consequences for people’s rights and freedoms, will be viewed favourably.
  • How the ICO became aware – to what extent did the controller or processor notify the ICO about the infringement, this may be regarded as a mitigating factor if of its own volition and the ICO was previously unaware. This does not apply to statutory obligations to notify (e.g. Art. 33 UK GDPR). If the ICO finds out about an infringement from a complaint, the media or its own intelligence, this will usually be considered as a neutral point.
  • Codes of conduct or certification mechanisms – Adhering to approved codes of conduct or approved certification mechanisms will be given due regard. However, failure to meet the standards signed up to may be considered an aggravating factor.
  • Other aggravating or mitigating factors – economic or financial benefit obtained, or losses avoided as a result of the infringement. Also, and any action the controller/processor took pro-actively to report a breach to other appropriate bodies, such as the National Cyber Security Centre and whether any subsequent advice issued was followed.

We unsuccessfully argued in our submission to the ICO that the Guidance reads like there is an imbalance between aggravating and mitigating factors. For example, a demonstrable history of compliance (an unblemished record supported by evidence) was not accepted to be a mitigating factor, despite previous infringements being considered as an aggravating factor. Nevertheless, proactive technical and organisational measures in place would factor into other mitigating measures set out above.

C. Effectiveness, proportionality and dissuasiveness:

  1. To be effective, the fine should help ensure compliance with data protection legislation and/or providing appropriate sanctions for infringement;
  2. Proportionate means the fine does not exceed what is appropriate and necessary. It shows that the Commissioner has considered all the relevant circumstances, including:

    • the seriousness of the infringement,
    • the harm or other impact on data subjects, and
    • the size and financial position of the controller/processor; and
  1. To be dissuasive the fine should be a genuine deterrent to future non-compliance (both specific to the infringing controller/processor and generally as a message to the market).

For reasons of certainty, it is potentially unhelpful that the ICO has expressed its desire to maintain a significant degree of discretion at this stage of the fine setting process (both with respect to whether to impose a fine and the calculation of the level of the fine). Whilst the ICO states it will seek to ensure there is broad consistency, it remains to be seen how well this works in practice. Further, we have highlighted that the Guidance sets out that proportionality is a secondary analysis and only considered after it has been confirmed that the penalty would be effective and dissuasive. We submitted to the ICO that this represented a two-step process that went beyond the UK GDPR and could lead to unintended consequences.

Calculating the fine

If the decision is taken to issue a penalty notice, then the fine amount will be calculated by following five steps:

  1. Assessment of the seriousness of the infringement – looking at A. above, the ICO will determine a starting point for all fines based upon the seriousness of the infringement. The starting point will vary between:

    • serious infringements: the fine will be between 20% and 100% of the legal maximum;
    • infringements with a medium degree of seriousness: the fine will be between 10% and 20% of the legal maximum; and
    • infringements with a lower degree of seriousness: the fine will be between 0% and 10% of the legal maximum.
  2. Accounting for turnover – the ICO will then review the undertaking’s total worldwide annual turnover in its previous financial year (or where the controller / processor is not an undertaking, the ICO will review the assets, funding or administrative budget of the entity) and adjust the fine amount indicated by the calculation of the seriousness of the infringement. An undertaking that has an annual turnover of over £435 million is potentially exposed to fines of up to 4% of annual global turnover (so the statutory maximum).  The adjustment applied will mean that undertakings with a relatively low turnover are exposed to a mere fraction of the statutory maximum: for example, an undertaking with turnover of up to £2 million should receive a penalty of up to 0.4% of the sum indicated by the “seriousness of infringement” figure derived from Step 1.  The adjustment downward can be significant.
  3. Calculation of the starting point – the ICO will then calculate the starting point in one of two ways (depending on the outcomes of step 1 and step 2):

    • If the statutory maximum is a fixed amount, then: [statutory maximum amount (fixed)] x [adjustment for seriousness] x [turnover adjustment]; or
    • If statutory maximum is turnover based, then: [turnover] x [statutory maximum amount (percentage)] x [adjustment for seriousness].
  4. Adjustment to take into account any aggravating or mitigating factors – looking at Section B. above, the ICO will consider whether aggravating / mitigating factors should warrant an increase or decrease in the level of the fine.
  5. Assessment of whether the fine is effective, proportionate and dissuasive – looking at Section C. above, the ICO will also seek to ensure the fine does not exceed the statutory maximum amount.

In our submission, we proposed to the ICO to consider taking account of the Competition and Markets Authority’s (CMA) method of calculation for fines, where a specific step dedicated to settlement discounts is included. We suggested that the Commissioner adopts a similar stance to the CMA and permits organisations to engage in formal settlement discussions and permitting a discount for any settlement, where the infringing party admits its participation in the infringement. It is worth noting that the ICO welcomed the suggestion about introducing a formal settlement policy and offering a reduction in fines on that basis, and although it was ultimately outside of the Guidance, it will give look to mirror this approach in the future.

We were also troubled by the approach in the draft guidance as to how the ICO approached the concept of an undertaking.  We note that, in response to our submission, the Guidance is now much more detailed as to the approach that the ICO will take to determining whether a parent company has decisive influence over a subsidiary and therefore whether the turnover of the parent company itself should be taken into account.

We also note the amendment made by the ICO following consideration of the submissions to reflect that steps taken to mitigate damage to data subjects following a personal data breach are a mitigating factor when it comes to calculating the penalty.

Concluding remarks

Between 2019 and 2024 the fines issued by the ICO have varied significantly as compared to the value contained in the notice of intent provided by the ICO as compared to the final amount ultimately levied against the organisation. The Guidance now provides a clearer reference point which companies can refer to and overlay into their risk documentation – particularly where financial risk is assessed. This will help build out risk analyses and add further clarity on what amount of fine any data protection infringement discovered by an organisation could amount to. Though, as referenced above, there is still a residual challenge given the inherent discretion that remains.

Should you wish to discuss any matter contained within this article, please reach out to the authors or your regular data protection point of contact.