The government has announced the new National Minimum…
New fining guidance published by the Information Commissioner’s Office
The Information Commissioner’s Office (ICO) has released some new data protection fining guidance showing how it decides to issue penalties and calculate fines.
A consultation on the guidance took place last year and the new guidance provides greater transparency on how the ICO uses its power to fine.
The sections about penalty notices in the ICO Regulatory Action Policy are replaced by the new guidance.
The guidance sets out the infringements for which the ICO can impose a fine as well as the factors that the ICO will take into account when deciding whether to issue a penalty notice and in determining the amount.
It also sets out the five steps that the ICO take in calculating the amount of a fine. These are:
Step 1 – Assess the seriousness of the infringement
Infringements with a high degree of seriousness will have a starting point of 20% and 100% of the legal maximum. A medium degree of seriousness will start between 10% and 20%, and a lower degree of seriousness will have a starting point between 0% and 10%.
Step 2 – Account for turnover
Since the statutory maximum fine amounts apply to all organisations regardless of size, the ICO will consider the turnover of the organisation in question to see whether the starting point should be adjusted. The guidance sets out what adjustments would be made for varying levels of turnover.
Step 3 – Calculate the starting point
Based on the outcome of the first two steps, the ICO will then calculate what the starting point for the fine will be. The guidance provides a table of indicative ranges.
Step 4 – Consider aggravating and mitigating factors
The ICO will then consider if there are any aggravating or mitigating factors that would warrant an increase or decrease in the level of fine that has been calculated.
Step 5 – Any adjustments to ensure the fine is effective, proportionate and dissuasive
Finally, the ICO would consider the circumstances of the case to assess whether the figure arrived at is effective, proportionate and dissuasive as well as no more than the statutory maximum amount. An adjustment to the fine amount may be made as a result.
To review the guidance, please see: https://ico.org.uk/about-the-ico/our-information/policies-and-procedures/data-protection-fining-guidance/