ICO publishes fining guidance
Earlier this year, the Information Commissioner’s Office published new data protection fining guidance, setting out how it decides to issue penalties and calculate fines.
The guidance aims to provide greater transparency for organisations about how the ICO uses its fining power and replaces the sections in the ICO Regulatory Action Policy published in November 2018.
The update includes details of
- The infringements of UK GDPR and DPA 2018 for which the Commissioner can impose a fine
- The factors the Commissioner will take into account when deciding whether to issue a penalty notice and in determining the amount
- The maximum amount of a fine under UK GDPR and DPA 2018
- The concept of an ‘undertaking’ for the purpose of imposing fines
- The Commissioner’s approach to fines where there is more than one infringement by a controller or processor
- Circumstances in which the Commissioner would consider it appropriate to issue a penalty notice
- Calculation of the appropriate amount of the fine
The ICO has issued 69 enforcement notices so far in 2024 for various types of data protection infringement. Numerous notices have included monetary fines such as a £350,000 fine for the MOD, £140,000 for HelloFresh, £240,000 for Outsource Strategies Ltd, and £150,000 for Poxell Ltd.
Article 83 UK GDPR and section 157 DPA 2018 provide for two levels of maximum fine by the ICO, depending on the statutory provision that has been infringed. These are referred to as the ‘standard maximum amount’ and the ‘higher maximum amount’.
The maximum fine amounts for each level differ based on whether the controller or processor is an ‘undertaking’. The standard maximum amount is £8.7 million or, in the case of an undertaking, is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.
The higher maximum amount is £17.5 million or, in the case of an undertaking, is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.
For a no-obligation conversation about data protection and how we might help, contact Prettys’ dedicated Data Protection and Privacy Team on e: dataprotection@prettys.co.uk or call 01473 232121.