As part of its consultation on draft statutory guidance, the Information Commissioner's Office (ICO) has set out its proposed methodology for calculating fines under sections 155–157 of the Data Protection Act 2018 (DPA2018) and Article 83 of the General Data Protection Regulation (GDPR).
Businesses will already likely be aware that the ICO has the power to levy maximum fines up to €20 million or 4% of global turnover – whichever is higher. Many will recall with a shiver the £183million and £99m fines that the ICO in 2019 announced that it intended to impose on British Airways and Marriot International respectively for their data breaches. Until now, however, the approach that the UK's data protection regulator has taken to calculate those intended fines has been unclear.
Under the DPA 2018, the ICO is required to provide statutory guidance setting out how it will exercise its powers and functions under the GDPR. Earlier this month, the ICO published draft statutory guidance for consultation. Although much of the draft statutory guidance is not new, the section that sets out the ICO's approach to calculating fines is new – and illuminating.
In calculating fines, the ICO says that it will follow the following steps:
- Assess the seriousness of the contravention.
- Assess the degree of culpability of the organisation concerned.
- Determine turnover.
- Calculate the appropriate starting point.
- Consider relevant aggravating or mitigating factors or both.
- Consider the organisation's financial means.
- Assess the economic impact.
- Assess the effectiveness, proportionality and dissuasiveness of any penalty.
- Make any early payment reduction.
In step one, the ICO will determine whether the "higher maximum amount" (4% of relevant turnover or €20 million (broadly, £17.5 million) or the "standard maximum amount" (2% of relevant turnover or €10 million (broadly, £8.7m) is applicable to the breach under consideration. Importantly, the ICO confirms that "if there are two or more breaches, and these attract different maximum amounts, the higher maximum amount will apply as this is the gravest breach."
Breach watch list
There are a wide range of factors which the ICO will consider at this step, including:
- the nature, gravity, and duration of the failure;
- any action taken by the data controller or processor to mitigate the damage suffered by data subjects;
- any relevant previous failures by the data controller or processor;
- the degree of cooperation with the ICO, in order to remedy the failure and mitigate the possible adverse effects of the failure;
- the categories of personal data affected by the failure;
- the way the breach became known to the ICO, including whether, and if so to what extent, the data controller or processor notified the ICO of the failure;
- the extent to which the data controller or processor has complied with previous enforcement notices or penalty notices; and
- adherence to approved codes of conduct or approved certification mechanisms.
Next, at step two, the ICO will consider the ''degree of culpability of the organisation concerned'', taking into account the measures taken by the organisation to implement the data protection principles, minimise the risks to the rights and freedoms of data subjects and to keep personal data secure. The ICO will also take into account any intentional or negligent steps taken by the data controller.
Having done so, the ICO will evaluate the organisation's financial position to determine its revenue, and therefore the level of fine which may be payable (step three). Failure to cooperate may be deemed an aggravating factor under step five.
The ICO's starting point for the calculation of a fine (step four) uses the methodology set out in the below table, based on the seriousness and degree of culpability determined under steps one and two.
Penalty starting point
Standard Maximum Amount (SMA): maximum of 2% or €10 million
Higher Maximum Amount (HMA): maximum of 4% or €20 million
|Degree of culpability||Seriousness|
Having calculated its starting point, the ICO will consider any aggravating factors (step five), such as financial benefits gained, or losses avoided, directly or indirectly, from the breach. It will also consider the degree of cooperation with the investigation. It will then adjust the level of fine (upwards or downloads) accordingly.
Next, and of particular importance in the current economic climate, the ICO will then consider "the likelihood of the organisation or individual being able to pay the proposed penalty and whether it may cause undue financial hardship" (step six).
At step seven, and in a similar vein, the ICO will, where appropriate, consider "any economic impact on the wider sector, or related regulatory impact of the proposed penalty beyond the organisation…''. In doing so, it promises that will ''only take regulatory action when it is needed, and that any action… is proportionate" acknowledging that it "must consider the desirability of promoting economic growth when exercising our regulatory functions under the DPA 2018"
In its penultimate step eight, the ICO will consider whether the fine is effective and proportionate and adjust it accordingly.
Finally, the ICO will reduce its fine by 20% if it receives full payment within 28 days of sending the monetary notice. (this early payment discount is not available if a controller or person decides to exercise their right of appeal to the First-Tier Tribunal (Information Rights).
Implications for businesses
While this guidance is in draft form, it provides welcome clarity and insight into how the ICO determines what amount of fine to levy. In particular, the above table and guidance as to how the ICO determines its starting point (step four) will be helpful to businesses and those advising them, to understand the potential risk in the event of any non-compliance.
This announcement comes as the ICO seems to be ramping up its level of activity. What is notable about the UK guidance, however, is the ICO's explicit statement that it will consider the financial means of the data controller to pay the fine levied and the wider impact upon a sector of the fine. The ICO's comment "consider the desirability of promoting economic growth" when exercising its functions will be reassuring for businesses at this challenging time (steps six and seven).
The granularity provided by the ICO – and which may form part of the written reasoning for fines – will also be of interest to the army of claimant lawyers and their funders lining up to bring group litigation claims on the back of adverse regulatory findings. A regulatory finding will not necessarily lead to a right to compensation. However, regulatory findings may be influential not just on whether the data controller has breached the legislation but also on whether data subjects can claim compensation, an issue that the Supreme Court will be considering very carefully in the forthcoming Lloyd v Google appeal.