Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.

In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA18). This important guidance sheds light on the ICO’s methodology for setting fines, describing the circumstances in which the commissioner may exercise administrative discretion to issue a penalty notice and replacing certain elements of its former “Regulatory Action Policy”. Consistent with the European Data Protection Board’s (EDPB) guidelines finalised in 2023, the ICO aims to provide a transparent and navigable framework for organisations, in an attempt to demystify the potential financial impacts arising from data protection infringements.

Trigger Points for ICO Financial Penalties

Financial penalties are provided for in relation to infringements under the UK GDPR and DPA18, categorised by their maximum caps ― either the “standard” or “higher” amounts, depending on the statutory provision that was infringed. Maximum penalties for a particular infringement can reach up to £17.5 million, or 4% of annual global turnover, whichever is higher. Annex 2 of the guidance breaks down the various potential infringements and their accompanying statutory “standard” or “higher” maximum penalties ― with the “higher” amounts imposed, for example, for a breach involving the fundamental conditions for processing and consent, a breach of data subject rights, or unlawful transfers to third countries.

Before making a fining decision, the ICO will consider the potential penalty in relation to other corrective measures which it may impose. The guidance states that the ICO “is not bound by previous decisions, but will ensure there is broad consistency in the approach taken when assessing whether issuing a penalty notice is appropriate”.

In deciding whether to impose a penalty (and in determining its amount), the ICO must consider the factors set out in Article 83 UK GDPR or in s.155(3) DPA 2018, depending on the nature of the relevant processing, and depending on which regime applies. Broadly, this decision involves considering (i) the “seriousness” of the infringement (considering its “nature”, “gravity”, and “duration”); (ii) relevant aggravating or mitigating factors; and (iii) whether a fine would be “effective, proportionate and dissuasive”.

Calculating the Fine: A Step-by-Step Overview

The ICO retains considerable discretion in applying penalties, emphasising the need for organisations to understand the nuances of the guidance. In line with the EDPB’s fining guidance, the ICO guidance sets out a five-step approach to assessing the amount of a fine:

Step 1: Assessment of seriousness — The ICO evaluates the infringement’s nature, gravity, and duration, considering factors like intent or negligence, and the data affected. The “seriousness” will determine the starting amount for a fine, with the most serious category ranging from 20-100% of the relevant maximum fine, “medium” seriousness at 10-20%, and “lower” seriousness at 0-10%.

Step 2: Turnover adjustment — The penalty’s starting point is adjusted based on the organisation’s financial scale, applying percentage multipliers to specific turnover bands. For example, if an undertaking has a turnover of £10-20 million (a “medium-enterprise”), then the indicative adjustment would be between 2-10% of the initial figure set at Step 1 above.

Step 3: Calculating the starting point — Once the turnover adjustments have been applied, the ICO will then calculate the starting point for the penalty using the following equations:

• When the statutory maximum is a fixed amount: statutory maximum amount (fixed) x adjustment for seriousness x turnover adjustment.
• When the statutory maximum is turnover-based: turnover x statutory maximum amount (percentage) x adjustment for seriousness.

The guidance emphasises that the ICO must reach each decision case by case, and may adjust starting points to reflect the requirements that fines be effective, proportionate, and dissuasive. (Tables C and D of the guidance contain a quick reference on where these initial indicative starting ranges would fall.)

Step 4: Aggravating and mitigating factors — The ICO adjusts the preliminary penalty figure by considering any efforts the controller or processor has made to mitigate the infringement (e.g., the degree of cooperation with the ICO or engagement with bodies such as the National Cyber Security Centre), as well as any aggravating circumstances (e.g., financial benefit derived from the infringement). There is no reference to the degree of increase or reduction available; however, the guidance states that the ICO “retains the discretion to use the full amount of the statutory maximum fine available, taking into account the circumstances of each individual case”.

Step 5: Final adjustments — To ensure penalties are effective, proportionate, and dissuasive, the ICO may make further adjustments, considering the infringement’s seriousness and the organisation’s financial standing. Again underscoring the discretionary nature of the ICO’s overall determination, the guidance states that “The Commissioner’s decision on an appropriate fine amount is not a mechanistic assessment, but one of evaluation and judgement”.

Noteworthy Aspects of the New Guidance

While the guidance follows in near lock-step with the EDPB’s approach, there are several noteworthy takeaways for organisations subject to the UK GDPR:

• Broad interpretation of undertaking: The guidance takes a broad view of an entity’s “turnover”, which could significantly affect multinational corporations’ potential penalties should they be considered a single undertaking. Like the EDPB, the ICO considers that “where a controller is a subsidiary of a parent company, the Commissioner will calculate the maximum fine based on the turnover of the undertaking as a whole”, although this interpretation is currently subject to challenge in the Court of Justice of the European Union (CJEU).^[1]
• Multiple infringements: In many cases, a controller’s or processor’s conduct may infringe more than one provision of the UK GDPR. This situation is addressed in Article 83(3) UK GDPR, which states that “if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the [UK GDPR], the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement”. There is therefore much argument around when processing operations are the “same or linked”. Again, however, the EDPB’s approach here, which is reflected in the ICO guidance, is currently the subject of challenges in the courts.
• Evolving EU landscape: Ongoing challenges in the CJEU and EU Member State courts focus on aspects of the EDPB guidance and decisions, which are replicated in the ICO guidance. As noted above, such aspects include the “undertaking” issue and the impact of Article 83(3) GDPR. It will be interesting to see how any relevant court determinations will be taken into account by the ICO in practice.
• “Intentionality” versus “negligence”: The ICO states that it will consider the “intentional” or “negligent” nature of infringements when setting a penalty, which invites the question whether purely unintentional infringements will avoid a penalty. The guidance does not deal with this point, so it remains unclear whether controllers can successfully argue that no financial penalty can be imposed in the absence of even “negligence”, although recent CJEU decisions support this argument.^[2]  However, the evidence which the ICO states it will consider when assessing “negligence” appears disconcertingly broad, and includes factors such as whether the infringement took place through “human error”, albeit with particular emphasis on whether the person had received “adequate training”.
• Settlement: The potential for a formalised “settlement policy” has been discussed by the ICO in previous consultations and public engagements. However, no formal settlement policy was incorporated into guidance. Given the large amount of penalties under the UK GDPR, controllers would highly likely seek to defend their position and appeal against the ICO’s determinations. A settlement policy, like those operated by the UK’s Competition and Markets Authority, for example, would provide guidance on how organisations can cooperate with the regulator during the enforcement process. This process would help organisations (and the ICO) avoid expensive litigation and facilitate early resolution without the need for the dispute to be adjudicated by the UK Information Tribunal and ultimately the UK courts. Whether the ICO will adopt a formal settlement policy in the future remains to be seen.

Conclusion

The ICO’s updated guidance marks a step toward clarifying the fog surrounding data protection fines in the UK, and suggests an approach consistent with that currently being adopted by the EDPB. However, with broad discretion and evolving legal interpretations (including by the CJEU), predicting precise financial outcomes remains a challenge. As the ICO navigates through new enforcement territories, organisations must stay vigilant, adapting to the regulatory landscape’s shifts and turns.

This post was prepared with the assistance of Jemima Abate in the London office of Latham & Watkins.

Endnotes

^[1] In particular, in Anklagemyndigheden v. ILVA A/S (Case C-383/23).

^[2] See Case C- 683/21 Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos and Case C-807/21 Deutsche Wohnen.