How does the ICO decide on what fines to issue?

The maximum fine under UK GDPR and the Data Protection Act 2018 is £17.5m or 4% of an organisation’s total worldwide annual turnover in the preceding financial year, whichever is higher.

The largest fine issued by the ICO to date is £20m in relation to a data breach.

 

When it carries out the assessment of whether it is appropriate to issue a penalty, the ICO will have regard to:

 

  1. The seriousness of the infringement:

a) The nature, gravity and duration of the infringement

b) Whether it was intentional or negligent 

c) The categories of personal data affected

 

  1. Relevant aggravating or mitigating factors:

a) Mitigating actions 

b) The degree of responsibility the organisation has for the infringement

c) Whether there have been relevant previous infringements

d) Degree of co-operation with the ICO

e) How the ICO came to know of the infringement 

f) Other aggravating/mitigating factors such as financial benefits/losses avoided or co-operation with relevant bodies (e.g. the National Cyber Security Centre for a cyber security breach)

g) Compliance with any previous measures ordered in relation to the same subject matter

h) The organisation’s adherence to codes of conduct/approved certification mechanisms

 

  1. Effectiveness, proportionality and dissuasiveness

In this respect, The ICO states that the fine needs to achieve either the object of ensuring compliance or providing an appropriate sanction (or both). The fine must not exceed what is appropriate and necessary in the circumstances to meet those objectives and it must act as a genuine deterrent to future non-compliance.

 

Even after an infringement takes place there are opportunities to potentially reduce the level of a fine. Taking time to assess the infringement and to take appropriate actions to mitigate any damage caused, appropriate notification of the incident and co-operation with the ICO should be high priorities.

The ICO has been pursuing a slightly different policy in respect of public sector organisations, where fines are issued in only the most egregious cases. This is currently being reviewed.

Share:

Facebook
Twitter
Pinterest
LinkedIn
Don't just take our word for it