Insights UK Information Commissioner’s Office (“ICO”) launches consultation on draft data protection fining guidance


The ICO is responsible for monitoring and enforcing UK GDPR and the Data Protection Act 2018 (“DPA”). The ICO may issue fines for failure to comply with certain provisions of UK GDPR and the DPA including those relating to the principles of processing, rights conferred on data subjects, obligations placed on controllers and processors, including the requirement to notify a personal data breach to the ICO, and the principles for transfers of personal data outside the UK. The ICO can also impose a fine for failure to comply with the requirements under the DPA relating to information, assessment and enforcement notices.

The DPA requires the ICO to produce and publish guidance explaining how the ICO would consider it appropriate to issue a penalty notice and how it would determine the amount of any fine.

The numerous factors to be considered when exercising the ICO’s discretion to issue a penalty notice and determine a fine are set out in the legislation. A large part of the Guidance explores what these factors mean in practice. First, the ICO will consider the nature, gravity and duration of the infringement, whether it was intentional or negligent, and the categories of personal data affected.  For example, in looking at the nature of the processing, the ICO will give more weight where there is a clear imbalance of power between the controller and data subject, or where the processing involves the personal data of children or other vulnerable people.

Second, the ICO will consider any aggravating or mitigating factors. For example, the ICO will consider previous infringements as a potential aggravating factor but points out that the absence of previous infringements will not be a mitigating factor. Failure to comply with an approved code of conduct of which the controller is a member could be an aggravating factor, whereas proactive reports of cyber security breaches (e.g. to the UK National Cyber Security Centre) could be a mitigating factor where cooperation goes beyond legal requirements.

Finally, the ICO will consider whether issuing a penalty notice is effective, proportionate and dissuasive. In addition to the need to deter the data controller that is the subject of the notice and fine, there is a need to deter others from committing the same infringement. Further, while the ICO must have regard to promoting economic growth when issuing fines, this duty should not be used to legitimise non-compliance, which harms both data subjects as well as the interests of legitimate businesses working to comply with the law.

The second part of the Guidance addresses the calculation of the fine and explores each of the five steps in the process: assessment of the seriousness of the offence, accounting for turnover (where the controller is part of an “undertaking”, a term examined in the Guidance), calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking, adjustment to take into account any aggravating or mitigating factors and assessment of whether the fine is effective, proportionate and dissuasive.

For the first three steps, the guidance includes figures to illustrate the indicative range of the fines depending on the seriousness of the offence, how these may be adjusted based on the annual turnover of any relevant undertaking (and how that turnover will be calculated) and figures for fine starting points based on the outcomes of steps one and two. All such calculations are subject to the maximum fines set out in law which are, depending on the infringement, either the higher of £8.7m or 2% of the undertaking’s total worldwide turnover in the preceding financial year, or £17.5m or 4% of the undertaking’s total worldwide turnover in the preceding financial year. The assessment of whether the fine is effective, proportionate and dissuasive involves the exercise of the ICO’s judgement and discretion as to whether, in the round, the fine determined under steps 1-4 should be increased or decreased. The Guidance states that the ICO should be consistent and will have regard to the level of fines in previous cases but will not be bound by them.

Once this Guidance is agreed, it will replace the existing fining guidance for new cases and existing cases in which the ICO has not yet issued a notice of intent to impose a fine.

For more information and to respond to the Consultation, which closes on 27 November 2023, click here.