top of page

ICO Data Protection Enforcement Guidance

Thomas Prince


Minute Read

4 Jun 2024

ICO Data Protection Enforcement Guidance

Thomas Prince


Minute Read

4 Jun 2024

𝙎𝙤𝙪𝙧𝙘𝙚: 𝙎𝙊𝙈𝙆𝙄𝘿 𝙫𝙞𝙖 𝘼𝙙𝙤𝙗𝙚 𝙎𝙩𝙤𝙘𝙠

The Information Commissioner’s Office has issued new fining guidance which is intended to provide clarity to organisations on how the ICO approaches using its powers to issue fines and taking other enforcement action.

The guidance explains the factors the regulator will consider when deciding the seriousness of a breach of data protection legislation. Amongst the key messages is confirmation that the ICO is likely to perceive breaches involving certain categories of personal data as more serious infractions. These categories include:

  • ‘special category’ personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs);

  • criminal offence data;

  • sensitive personal data such as passports, driving licenses, private communications (especially those containing intimate details);

  • location data;

  • financial data; and

  • background.

Any inclusion of these types of personal information within the scope of a data breach will generally lead the ICO to conclude the infringement is a serious one, warranting more significant enforcement action. Conversely, the implication is that personal data which falls outside of this may be treated as less seriously.

The guidance also clarifies additional circumstances where the regulator may be minded to impose a fine, beyond just data protection breaches. These circumstances include where an organisation:

  • fails to provide information the ICO reasonably requires;

  • denies the ICO access to inspect documents or data; and

  • does not comply with the requirements set out in an ICO enforcement notice, such as orders to rectify or erase personal data.

Further, the guidance explains how the ICO will consider the manner in which it became aware of any infringement as a key factor in assessing what level of punishment to impose. If an organisation proactively notifies the ICO of a breach, this may be viewed as a mitigating factor, provided the regulator was not already aware of the issue. On the other hand, if the ICO discovers the infringement through a complaint, media coverage, or its own intelligence-gathering, this will be considered a neutral factor.

Where the ICO is satisfied that an organisation has failed to comply with UK GDPR, or DPA 2018 it may impose a maximum penalty of £17,500,000 or 4% of total worldwide annual turnover in the preceding financial year.

If the ICO decides to issue a penalty, it will follow a five-step approach when calculating the fine taking into account:

  1. an assessment of the severity of the infringement;

  2. consideration of the organisation's (group) turnover;

  3. Calculation of the starting point having regard to the seriousness of the infringement;

  4. making relevant adjustments to account for any aggravating or mitigating factors. Such factors include:    

    1. action taken to mitigate damage suffered by data subjects;

    2. the degree of responsibility of the controller or processor;

    3.  relevant previous infringements by the controller or processor;

    4. the degree of cooperation with the Commissioner;

    5. the manner in which the infringement became known to the Commissioner;

    6. measures previously ordered against the controller or processor;

    7. adherence to approved codes of conduct or certification mechanisms; and

    8. any other aggravating or mitigating factors; and

  5. evaluation of whether the final fine amount is effective, proportionate, and dissuasive insofar as whether imposing a fine would achieve the objectives of ensuring compliance or providing an appropriate sanction (i.e. effectiveness) before considering whether the imposition of a fine will act as a genuine deterrent to future non-compliance (i.e. dissuasiveness).

The guidance emphasises that the process of determining fines is not a rigid, prescribed one. Instead, each fine will be assessed on a case-by-case basis, taking into account the unique circumstances of the situation. This will involve a degree of evaluation and the exercise of judgement by the regulator.

This is all useful in interpreting the attitude of the regulator to fines and should allow a greater degree of insight into the actual level of risk associated with data breaches when assessed alongside the measures which organisations have in place to manage and mitigate these risks. With that in mind, organisations that underpin compliance with processes and clear strategies should be able to rest slightly easier.

If you require any assistance or more information on this matter, don't hesitate to get in contact with our Partner and Head of Commercial Thomas Prince.

Keep up to date with our latest updates in the legal world, meet our latest recruits and see our latest events.

bottom of page