ICO launches consultation on new Data Protection Fining Guidance

Background

Currently, there are sections within the Regulatory Action Policy ("RAP") that explain the ICO's approach to imposing and calculating fines, but the ICO intends for these to be replaced by the Draft Guidance once it is finalised. The ICO intends to replace the remaining sections of the RAP (which explain the circumstances in which oral representations are permitted if a notice of intent to issue a penalty notice is issued, and the approach taken in the event that a fine is not paid) with procedural guidance that will be consulted on at a later date. In this blog post, we will explore the key highlights of the Draft Guidance and its potential implications.

• Joint processing operations. Organisations that act as controllers or processors will be particularly interested in the ICO's thoughts on when processing operations can be seen to be the same or linked. Here, the total fine for all linked processing operations together will be capped at the statutory maximum (up to £17.5% million or 40% of an organisations worldwide turnover, whichever is higher). By contrast, organisations could face "double jeopardy" for processing operations that aren't linked – i.e. multiple fines, each potentially up to the statutory maximum. The Draft Guidance states that processing operations will be capable being linked either by time, purpose or data subjects, so organisations could seek to use this as an attempt to cap their overall liability.
• The concept of an "undertaking" for the purpose of imposing fines. The Draft Guidance follows a similar approach to the European Data Protection Board ("EDPB") in stating that, where a controller or processor forms part of an undertaking (for example, where a controller or processor is a subsidiary of a parent company) the ICO will calculate the maximum fine based on the turnover of the undertaking as a whole. It is also notable that the Draft Guidance refers to retained EU case law about the concept of an undertaking. On this basis, it is clear that the well-established UK competition law principles will still be followed, even though they derived from EU laws.
• Alignment with the EDPB approach. Although the UK GDPR and DPA are subject to change through the Data Protection and Digital Information Bill, the Bill does not propose significant changes to the ICO's fining powers. It is therefore unlikely to interfere with the proposals in the consultation and perhaps explains the ICO's clear attempt to align with the EDPBs approach. For example, the EDPB also has a five step approach to calculate fines and its guidance also states that in cases where a breach of the UK GDPR or Parts 3 or 4 of the DPA 2018 involves multiple infringements, the maximum fine will be determined by the most severe individual infringement. However, fines may also be imposed for each additional infringement arising from similar processing activities.
• Reprimands. Although the Draft Guidance does not cover this, we expect that organisations would also welcome separate guidance on the ICO's use of reprimands. Although the ICO is employing reprimands more frequently, there is currently little guidance in the RAP over its approach to reprimands. There is some frustration over the lack of ability to appeal a reprimand.

Overall, this Draft Guidance should provide organisations with clarity as to when and how the ICO will calculate and impose fines. After the consultation closes, the ICO will take into account the responses received before making any amendments if they decide to do so.

The draft Data Protection Fining Guidance can be read here.