skip to Main Content

Welcome

Hi there! You’ve got questions? We have answers. Just send us a message and one of our knowledgeable staff will be in contact with you soon.

Get In Touch

Email: info@eoacc.com
Phone: (UK) +44 (0)203 405 2320
Address: UK: Collingham House, 10-12 Gladstone road, Wimbledon, London, SW19 1QT

Our Location

UK: +44(0)203 405 2320 / SA: +27(0)21 300 2380 info@eoacc.com

New fining guidance published by the Information Commissioner’s Office

The Information Commissioner’s Office (ICO) has released some new data protection fining guidance showing how it decides to issue penalties and calculate fines.

A consultation on the guidance took place last year and the new guidance provides greater transparency on how the ICO uses its power to fine.

The sections about penalty notices in the ICO Regulatory Action Policy are replaced by the new guidance.

The guidance sets out the infringements for which the ICO can impose a fine as well as the factors that the ICO will take into account when deciding whether to issue a penalty notice and in determining the amount.

It also sets out the five steps that the ICO take in calculating the amount of a fine. These are:

Step 1 – Assess the seriousness of the infringement

Infringements with a high degree of seriousness will have a starting point of 20% and 100% of the legal maximum. A medium degree of seriousness will start between 10% and 20%, and a lower degree of seriousness will have a starting point between 0% and 10%.

Step 2 – Account for turnover

Since the statutory maximum fine amounts apply to all organisations regardless of size, the ICO will consider the turnover of the organisation in question to see whether the starting point should be adjusted. The guidance sets out what adjustments would be made for varying levels of turnover.

Step 3 – Calculate the starting point

Based on the outcome of the first two steps, the ICO will then calculate what the starting point for the fine will be. The guidance provides a table of indicative ranges.

Step 4 – Consider aggravating and mitigating factors

The ICO will then consider if there are any aggravating or mitigating factors that would warrant an increase or decrease in the level of fine that has been calculated.

Step 5 – Any adjustments to ensure the fine is effective, proportionate and dissuasive

Finally, the ICO would consider the circumstances of the case to assess whether the figure arrived at is effective, proportionate and dissuasive as well as no more than the statutory maximum amount. An adjustment to the fine amount may be made as a result.

To review the guidance, please see: https://ico.org.uk/about-the-ico/our-information/policies-and-procedures/data-protection-fining-guidance/

Author

Back To Top