ICO publishes new guidance on fines following 2023 public consultation

The Information Commissioner's Office (ICO) recently published new guidance on how it determines whether to issue fines and how it calculates the level of fines it issues. The guidance follows a public consultation launched by the ICO in 2023.

The new guidance can be accessed here, and replaces previous guidance in the 2018 Regulatory Action Policy published by the ICO.

Some key areas covered by the new guidance include:

• When the ICO will consider it appropriate to issue a fine. The factors the ICO will take into account when determining if it is appropriate to issue a fine are the seriousness of the infringement, any relevant aggravating or mitigating factors and whether imposing a fine would be effective, proportionate and dissuasive. The assessment is fact-specific and ICO is not bound by previous decisions in that regard.
• Additional factors. When deciding whether to issue a fine, the ICO will also take into account the 11 mandatory factors set out at Article 83 (2) of the UK GDPR. These include the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, the degree of co-operation with the ICO by the infringing entity and any other aggravating or mitigating factors, including financial benefits gained or losses avoided by the infringing entity.
• What an “undertaking” is for fining purposes. This is relevant because an undertaking can be fined up to a percentage of its annual turnover for the previous financial year. This means that undertakings may be subject to higher maximum fines than other types of entity, whose fines are capped at a set numerical figure. There is no definition of “undertaking” in the UK GDPR, but the ICO’s guidance reflects that an undertaking can be one or more legal or natural persons comprising a “single economic unit”, and whether a single entity is part of a wider economic unit will depend on whether the entity in question can act autonomously or whether another entity exercises a “decisive influence” over it. Parent companies can be made jointly and severally liable for subsidiaries’ fines.
• ​Factors when calculating the amount. Where the ICO decides to issue a fine, the amount will be calculated by reference to a five-step approach:
  1. Assessing the seriousness of the infringement
  2. If the entity is part of an undertaking, accounting for turnover
  3. Calculating the starting point in light of steps 1 and 2
  4. Adjusting the fine to take account of mitigating or aggravating factors
  5. Assessing whether the fine is effective, proportionate and dissuasive

The new guidance applies from 18 March 2024 to new cases relating to infringements of the UK GDPR or the Data Protection Act 2018 (DPA), or to current cases where the ICO is yet to issue a notice of intent to impose a fine. Whilst avoiding a fine is clearly any entity’s first priority, controllers and processors in the UK can take comfort from the fact that the ICO’s guidance is there for reference in the unfortunate event that they need to refer to it.