Ropes & Gray Logo
Page Translations
  • Home
  • Insights
  • UK data protection regulator publishes updated fining guidance

UK data protection regulator publishes updated fining guidance

Viewpoints
March 25, 2024
5 minutes
Printer-friendly Version
Authors:
Christopher Foo

On 18 March 2024, the UK data protection regulator (ICO) published updated fining guidance. This update follows the ICO’s consultation in October 2023 on a draft version of the guidance, and will replace the relevant sections in the ICO’s Regulatory Action Policy regarding penalty notices.

This updated fining guidance sets out the ICO’s latest approach in determining whether to issue a fine for infringements of the UK GDPR and the Data Protection Act 2018, and how it calculates the amount of the fine.

Factors taken into account in determining whether to issue a fine 

The ICO will consider the seriousness of the infringement, any relevant aggravating and/or mitigating factors, and whether imposing a fine will be effective, proportionate and dissuasive:

Seriousness of the infringement. The ICO will assess the seriousness of the infringement by reference to:

  • The nature, gravity and duration of the infringement;
  • Whether the infringement was intentional or negligent; and
  • The categories of personal data affected by the infringement.

Aggravating and/or mitigating factors. The ICO will consider factors such as:

  • Whether and how the organisation has taken action to mitigate the damage suffered by data subjects;
  • How the ICO became aware of the infringement; and
  • Whether the organisation had obtained any economic or financial benefit from the infringement.

Effectiveness, proportionality and dissuasiveness of the fine. The ICO will also consider whether a fine:

  • Will ensure compliance with data protection legislation and/or provides an appropriate sanction for the infringement;
  • Is appropriate and necessary in the circumstances to meet these objectives; and 
  • Can function as a genuine deterrent against future non-compliance by both the infringing organisation and other organisations. 

Steps involved in calculating the amount of the fine 

If the ICO has determined that a fine should be issued, it will calculate the amount of the fine as follows: 

The starting point of fines are calculated by assessing the seriousness of the infringement and the turnover of the undertaking. Depending on the degree of seriousness, the starting point of the fine may range from 0% to 10%; 10% to 20%; and 20% to 100% of the relevant legal maximum*. The size of the undertaking may also be determinative in adjusting the fine, with smaller undertakings potentially benefitting from a reduced fine. For example, micro-enterprises (i.e. undertakings with an annual turnover of up to £2 million) may benefit from adjustments of 0.2% to 0.4% to the starting point of the fine.

Adjustments may be made to take into account aggravating and/or mitigating factors. If the ICO has previously identified any aggravating and/or mitigating factors, it will assess on a case-by-case basis whether the fine should be increased or decreased.

Additional adjustments may be made to ensure that the fine is effective, proportionate and dissuasive. The ICO also has discretion to increase or decrease the amount of the fine in light of the circumstances of the infringement; for example, it may increase the amount of the fine if the ICO determines that this will have a greater and more effective deterrent effect.  

Other additional considerations

The guidance provides further information for organisations, such as clarification regarding:

Concept of undertakings. Whether or not an organisation forms part of an undertaking depends on the degree of autonomy it exercises. In particular, whether another entity has decisive influence over the infringing organisation. A fund may thus be unlikely to be counted as part of an organisation’s wider undertaking, although this will depend on the circumstances. 

The ICO will consider factors regarding the economic, organisational and legal links between the infringing organisation and its parent entity, such as the level of shareholding owned by the parent entity and the representation the parent entity has on the subsidiary’s board, as well as other evidence of influence the parent entity holds over a subsidiary’s conduct and operations. The ICO may also hold a parent entity jointly and severally liable for the payment of a fine imposed on an organisation over which the parent company has decisive influence. 

Information used to calculate turnover. If the infringing organisation forms part of an undertaking (i.e., where an organisation is a subsidiary of a parent company), the ICO will calculate the fine based on the worldwide annual turnover of the undertaking as a whole, by reference to the previous financial year’s information.

If such information is not available, the ICO may either use the preceding year’s financial information, compel the organisation to provide it with financial information, or refer to the undertaking’s unaudited accounts or other financial information available at the time.

Significance of previous decisions. The ICO noted that while it is not bound by its previous decisions, it will ensure “broad consistency” when assessing whether to issue a fine. This means that previous enforcement decisions are likely to remain influential at least.

Financial hardship. In exceptional circumstances, the ICO may reduce the fine if the organisation is unable to pay due to its financial position. However, the ICO has also noted that there may be circumstances where a fine may be effective, dissuasive and proportionate even if the infringing organisation would be rendered insolvent as a result of the fine.

Conclusion

The ICO’s updated fining guidance provides additional clarity for organisations to calculate the potential financial risk(s) arising from the organisation’s processing of personal data. Organisations however should be mindful that fines are one of several enforcement tools available to the ICO. 

Other enforcement or corrective measures, including orders to stop certain data processing activities, to modify data handling practices, or to provide the ICO with additional information regarding its compliance regime have been issued by the ICO more frequently than fines. These measures may also have a greater cost, reputational impact, or otherwise pose additional risks to an organisation’s business practices than fines alone. Organisations should thus consider the ICO’s Regulatory Action Policy in conjunction with this guidance for a more comprehensive assessment of risk. 

*The legal maximum amount will depend on which provision of the UK GDPR and/or Data Protection Act 2018 has been infringed, and will be either (i) the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year; or (ii) the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.

Subscribe to Ropes & Gray Viewpoints by topic here.

Related Services

    Authors

    Christopher Foo
    Christopher Foo
    Associate
    London+44 20 3201 1533
    Christopher.Foo@ropesgray.com
    See Bio

    Stay Up To Date with Ropes & Gray

    Subscribe to Our Podcast

    Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.

    Subscribe to AppleSubscribe to GoogleSubscribe to Spotify
    Follow Us on Social

    Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.

    Follow Us on LinkedInFollow Us on X
    Join Our Mailing List

    We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.

    Join Our Mailing List