UK Update: ICO Invites Views on its Fining Guidance

The Information Commissioner’s Office (ICO) is running a consultation on its Draft Data Protection Fining Guidance, which closes at the end of this month.

It is widely accepted that no organisation can completely guard against a data breach, and that a cyber attack is usually a matter of when, not if. While the ICO recognises this, if it finds that an organisation failed to implement appropriate technical and organisational measures to protect personal data, it has the power to impose fines of up to £17.5m, or four per cent of annual global turnover, whichever is higher.

ICO fines in relation to data breaches have figured prominently in the news recently, including:

• British Airways fined £20m (reduced substantially from the £183m which the ICO originally intended to fine) in 2020 for security failings, exposed by a cyber attack to which it was subject in 2018.
• Marriott International fined £18.4m (reduced from £99m) in 2020 after it was subject to a cyber attack which exposed the personal data of more than 339 million guest records.
• TikTok was fined £12.7 million this year for misuse of children’s data under the UK GDPR (and also hit with a Є345m fine from the Irish data regulator).

These examples show just how important it is to provide clear guidance to organisations in relation to the fining regulatory landscape. They also demonstrate that the ICO is open to reducing fines where clear mitigating factors can be identified.

What is the ICO consultation about?

This consultation seeks views on the functioning and adequacy of its proposed framework fining guidance, which explains the way it imposes fines. In particular, the draft framework addresses:

• the legal framework that gives the Information Commissioner the power to impose fines;
• the circumstances in which the Information Commissioner would consider it appropriate to issue a penalty notice; and
• how the Information Commissioner calculates the appropriate level of the fine, including the aggravating and mitigating factors which are applied.

Once the new guidance is finalised, this will replace the parts of the ICO’s Regulatory Action Policy which deal with imposing and calculating fines.

The consultation runs for eight weeks from 2 October and will formally close on 27 November 2023.

Responses can be submitted via the ICO’s website: Introduction: Data Protection Fining Guidance (smartsurvey.co.uk)

By Burness Paull LLP, Scotland, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact ukscotland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.