On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).
The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance will subsequently be laid before Parliament for approval.
The guidance outlines out a “nine-step mechanism” for calculating proposed monetary penalties, set out as follows:
The ICO will then agree a starting point for the calculation of the penalty (using a matrix – see Image 1) based on the seriousness of the breach and the degree of culpability. The appropriate percentage is then applied to the turnover or equivalent (as determined at step 3).
· A breach of seriousness level ‘low’ combined with the degree of culpability being ‘low/no’ could result in the appropriate percentage of 0.125% being applied to the relevant turnover.
Whilst only in draft form, this guidance provides welcome clarity as to the ICO’s methodology when calculating fines.
Step 4 of ‘calculating an appropriate starting point’ is novel and will be particularly helpful for organisations in charting their incident and factors specific to them, against the ICO’s sliding scale matrix.
Step 7 further seeks to provide some comfort in the current economic circumstances that the ICO will also have to consider the desirability of promoting economic growth and impact on the wider sector when calculating any penalty.
Our blog post on Germany’s model for GDPR fines can also be found here.
Image 1 – Step 4 Matrix
Marcus is a communications, media and technology lawyer based in London. He focuses on data privacy and IT services.
