Regulatory and compliance

Decoding penalty notices: UK ICO clarifies its methodology for issuing fines in new guidance

Published on 27th Mar 2024

Restatement and consolidation of the ICO's decision-making process rather than revolution in approach to enforcement

Business planning meeting, photo of people's hands holding pens and going over papers

The Information Commissioner's Office published new guidance last week to clarify when and why it will use its discretion to issue a monetary penalty notice to organisations that infringe certain provisions of the UK General Data Protection Regulation or Data Protection Act 2018.

The guidance helpfully collates and restates existing statutory requirements governing both how the ICO assesses whether to impose fines and how it calculates the amount of any fine that it issues.

While the guidance provides a more nuanced explanation of the ICO's decision-making process, it does not appear to signal a dramatic departure from its current approach. It remains to be seen whether it will alter the ICO's approach to enforcement in practice or will reduce the prospect of successful challenges to its enforcement decisions.

New strategic approach

The guidance follows a public consultation last November. It replaces the sections about penalty notices in the ICO's Regulatory Action Policy (published in November 2018).

The incumbent Information Commissioner has embraced a new strategic approach to regulatory enforcement which is less focused on monetary penalties and includes greater emphasis on outcomes such as warnings and reprimands. Nevertheless, there has been a steady flow of (largely successful) appeals against previous ICO fining decisions and the quantum of fines.

In an effort to provide greater transparency about how the Commissioner will exercise his decision-making powers, the guidance sets out in greater detail than previously the assessment framework which he must consider when deciding to issue penalties and calculate fines. 

Highlights from the guidance

In very broad terms, the guidance sets out the factors which the ICO will take into account when deciding whether or not to issue a penalty notice. These factors are based in UK data protection law, but, in summary, include an analysis of:

  • the seriousness of the infringement;
  • any relevant aggravating or mitigating factors; and
  • whether imposing a fine would be effective, proportionate and dissuasive.

It also clarifies the ICO's understanding of what constitutes an "undertaking" for the purpose of calculating the value of a fine. 

Where there is more than one infringement by a controller/processor, the guidance explains the ICO's approach including how it assesses whether the infringements are in relation to the "same or linked processing operations".

There is revised guidance on how the ICO will calculate the "appropriate" level of any penalty, which includes an updated five-step analysis covering:

  • assessment of the seriousness of the infringement;
  • accounting for turnover (where the controller/processor is part of an undertaking);
  • calculation of the starting point, having regard to the seriousness of the infringement and (where relevant) the turnover of the undertaking;
  • adjustment to take into account any aggravating or mitigating factors; and
  • assessment of whether the fine is effective, proportionate and dissuasive.

Osborne Clarke comment

The guidance is primarily a restatement and consolidation of principles set out in earlier ICO guidance and statute, as opposed to a revolution in its approach to enforcement. Although it provides greater transparency around its decision-making process, the methodology remains subjective and gives the ICO significant latitude to decide when to take action and where to pitch fines. 

The ICO's enforcement decisions have regularly been subject to successful legal challenges. It will be interesting to see whether the revised guidance will help the ICO reverse the trend or whether it will provide those facing enforcement action with more ammunition to challenge its decisions. 

This may ultimately be a moot point for most organisations, given that the ICO has issued only two penalty notices under the UK GDPR since January 2023 and has instead expressed a desire to make use of other enforcement powers, such as reprimands. Far more monetary penalty notices are issued for breaches of PECR (the Privacy and Electronic Communication Regulations), where fining decisions remain subject to an alternative regime and statutory guidance.

Amelia Hodder, Trainee Solicitor at Osborne Clarke, assisted with the preparation of this Insight

Share

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?