The ICO has issued guidance on how it decides when to issue fines and how the amount of these fines is decided.
Some of the guidance is simply a restatement of the legal framework, but it also looks at the factors taken into account in deciding whether to issue a penalty and the amount of the same.
There is also information on what constitutes an undertaking for the purposes of fining and how the Commissioner will approach situations where there is more than one infringement arising from the “same or linked” conduct, looking more closely at how the Commissioner will determine if the conduct is “the same or linked”.
As an interesting aside (in addition to special category data) when discussing the categories of data affected by an infringement (in the context of whether to issue a fine) the ICO gives examples of “particularly sensitive” data as:
- location data
- private communications (particularly those involving intimate details or confidential information about the data subject)
- passport or driving licence details; or
- financial data
The full guidance can be found here.