Information Commissioner issues data protection fining guidance 

The Information Commissioner’s Office (ICO) has published new data protection fining guidance, setting out how it decides to issue penalties and calculate fines.

The guidance, published yesterday (18 March), replaces the sections about penalty notices in the Regulatory Action Policy published in November 2018.

The guidance sets out the circumstances in which the Commissioner would consider it appropriate to exercise “administrative discretion” to issue a penalty notice.

Among other things, it explains:

• the legal framework that gives the ICO the power to impose fines – “helping people more easily navigate the complexity of the legislation”;
• how the ICO will approach key questions, such as identifying the wider ‘undertaking’ or economic entity of which the controller or processor forms part; and
• the methodology the ICO will use to calculate the appropriate amount of the fine.

Before finalising the guidance, the ICO consulted the Secretary of State and conducted a public consultation.

On the consultation results, the watchdog said: “Generally, the responses were positive, with many respondents welcoming the clarity the Fining Guidance brings and commenting on the reasonable and sensible approach that it takes. Several respondents also suggested changes and clarification or requested that additional examples be included.”

The new guidance applies from the date of publication to new cases relating to infringements of the UK GDPR or DPA 2018. It also applies to ongoing cases in which the Commissioner has not yet issued a notice of intent to impose a fine.

Tim Capel, ICO Director of Legal Service, said: “We believe the guidance will provide certainty and clarity for organisations.

“It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or Data Protection Act 2018.”