The Information Commissioner’s Office (ICO) ensures that organisations in the UK follow the latest data protection rules. It has the power to impose substantial fines on organisations that don’t take their data protection responsibilities seriously, but it doesn’t always issue a fine if an organisation gets something wrong.
In Data Protection Fining Guidance (currently in draft format), the ICO has outlined its process for determining whether to punish companies that have failed to safeguard personal data. The guidance looks at:
- The legal framework that gives the ICO the power to impose fines
- The circumstances in which the ICO would consider it appropriate to issue a fine
- How the ICO calculates the appropriate amount of the fine.
In this blog, we look at these in more detail.
The legal framework
Two critical pieces of legislation govern data protection in the UK*.
- The UK General Data Protection Regulation (UK GDPR) is the UK’s version of the European Union’s General Data Protection Regulation (GDPR). UK GDPR continues to apply in the UK after Brexit.
- The Data Protection Act 2018 (DPA) is a UK-specific law. It supplements the UK GDPR and provides additional provisions in areas where the GDPR allows for member state discretion.
The ICO can impose a fine if satisfied that an organisation has breached the UK GDPR or the DPA. For example, when an organisation:
- Processed (collected, used, stored, or shared) personal data incorrectly
- Breached an individual’s (or a group of individuals) data protection rights
- Failed to comply with its data protection obligations
- Failed to comply with the principles for transfers of personal data outside the UK.
The guidance also outlines the maximum fines the ICO can issue for data protection failures.
- The standard maximum amount is £8.7 million. Or, where a business is a subsidiary of a parent company, either £8.7 million or 2% of the parent company’s total worldwide annual turnover in the preceding financial year.
- The higher maximum amount is £17.5 million. Or, where a business is a subsidiary of a parent company, either £17.5 million or 4% of the parent company’s total worldwide annual turnover in the preceding financial year.
Due to precedents in UK and EU law, the maximum amount the ICO can fine is only calculated by turnover percentage if the parent company’s gross revenue exceeds:
- £435 million in relation to the standard maximum amount (the 2% percentage figure applies)
- £437.5 million in relation to the higher maximum amount (the 4% percentage figure applies).
When it is appropriate to issue a fine
The ICO looks at each data protection breach on a case-by-case basis. But it does aim to be consistent when considering whether to issue a fine. Factors the ICO will look at when making its decision include:
- The nature, gravity, and duration of the breach (or breaches)
- The type of data compromised
- Whether the breach was intentional or negligent
- The degree of responsibility taken by the organisation (e.g. technical and organisational measures implemented)
- Any relevant previous infringements, including where the organisation has been subject to orders following similar breaches and its compliance with those orders (this is a new criterion)
- How the organisation responded to the security violation
- The degree of cooperation with the ICO following the breach
- Any action taken to mitigate the possible adverse effects experienced by victims of the breach
- Any other aggravating, relevant, or mitigating factors.
Interestingly, while aiming for consistency, the ICO states it will not be bound by previous decisions. This gives the regulator considerable discretion and flexibility when deciding what action to take. This is evidenced by the ICO’s recent decision not to continue its investigation into the EasyJet hack because of its “limited legal and investigative resources”, despite having previously issued a £20 million penalty against British Airways for a similar data protection failure.
The amount of the fine
If the ICO decides to issue a fine, it will calculate the amount of this penalty by applying the following five-step approach:
- Assessing the seriousness of the infringement
- Accounting for turnover where relevant (if the offending company is a subsidiary of a parent company)
- Calculating an appropriate penalty amount
- Adjusting this figure to take into account any aggravating or mitigating factors
- Assessing whether the fine amount is effective, proportionate, and dissuasive.
Once an appropriate fine amount is established, in exceptional circumstances, the ICO may reduce the penalty if the offending organisation cannot pay the total due to its financial position.
We welcome the clarity provided by the ICO in its latest guidance. In particular, we believe that the risk of being issued with a fine based on turnover will incentivise large parent corporations to ensure that all their businesses adhere to the UK’s data protection laws, as the risk of one falling short could harm all.
At the same time, the mix of fixed amount and turnover based penalties will ensure that smaller organisations are not disproportionately affected by any fines issued. However, in some cases, deciding whether to impose fines, and if so at what level, could still prove problematic. And it may be difficult to accurately assess the potential ‘dissuasiveness’ of fines, particularly with large global corporates. In many cases the use of turnover in calculating fines may not accurately reflect either the size of the organisation, or their ability to pay.
We appreciate the ICO’s revised approach to investigate and, where necessary, reprimand those businesses who have accrued multiple data protection infringements. This is a welcome change that will raise standards to the benefit of all. It should also make it easier for claimants to secure justice and compensation against organisations that have a history of data protection failures.
Overall, we believe that the ICO has established a proportionate and balanced approach that should encourage organisations to uphold their data protection responsibilities, and better protect the rights of individuals. As such, we believe the changes will be broadly welcomed.
*The Privacy and Electronic Communications Regulations 2003 (PECR) offer additional privacy rights in relation to electronic communications