How much will you be fined if you breach the GDPR?

A question often asked by organisations is ‘what is our financial risk for data protection non-compliance in the UK?’. Unfortunately, giving an accurate answer to that question isn’t easy. However, on 18th March 2024 the ICO published new data protection fining guidance setting out how it decides to issue penalties and calculate fines.

This guidance serves as a valuable resource for organisations and privacy professionals, offering insight to incorporate into their risk documentation. It aids in refining risk analyses and provides clarity on the potential fines for any data protection violations uncovered by an organisation.

Norm.’s Director of Legal Services, Robert Wassall, provides insight into the key takeaways from this guidance.

Factors the ICO will take into account

The ICO has confirmed that when deciding whether to issue a penalty notice (fine), it will review the facts of each case and consider, amongst other things:

• The nature, gravity and duration of the infringement taking into account the scope or purpose of the processing concerned, as well as the number of data subjects affected, and the level of damage suffered by them
• The intentional or negligent character of the infringement
• Any action taken by the controller or processor to mitigate the damage suffered by data subjects
• The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them
• Any relevant previous infringements by the controller or processor
• The degree of cooperation with the ICO to remedy the infringement and mitigate the possible adverse effects of the infringement
• The categories of personal data affected by the infringement
• The manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, the controller or processor notified the infringement
• Any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided.

An intentional infringement is where senior management authorised the unlawful processing; or the processing was undertaken despite advice about the risks involved, or with a disregard of its internal policies.

A negligent infringement is where an organisation has breached the duty of care required by law by:

• Failing to create data protection policies
• Failing to read and abide by its own data protection policies
• Failing to check for personal data in information that is published or otherwise disclosed or
• Failing to apply technical updates in a timely manner
• Human error, particularly where the person (or people) involved had not received adequate training on data protection risks;

Aggravating or mitigating factors

Once the ICO has assessed the seriousness of the infringement, it will then consider whether there are any aggravating or mitigating factors. It will take into consideration:

• Mitigation– the ICO will be looking for evidence of the organisation has tried to effectively mitigate the harmful consequences of the infringement. The ICO will also give due consideration to measures in place prior to any investigation or the ICO otherwise becoming aware of the infringement.
• Degree of responsibility– the ICO will consider the extent of what the organisation did, considering its size and resources, and the nature and purpose of the processing. The ICO will also assess any shared responsibility between controllers or between controllers and processors.
• Previous infringement or measures previously ordered– the ICO will give greater weight to infringements which have been of a similar nature, which occurred recently, and compliance measures it has previously ordered concerning the same subject-matter.
• Cooperation with the ICO– organisations are expected to cooperate with the ICO and should respond to requests for information where possible.
• How the ICO became aware– to what extent did the organisation notify the ICO about the infringement.
• Other aggravating or mitigating factors –economic or financial benefit obtained, or losses avoided as a result of the infringement. Also, any action the organisation took to proactively report a breach to other appropriate bodies, such as the National Cyber Security Centre.

Effective, proportionate and dissuasive

Section 155 DPA 2018 requires the ICO to consider whether issuing a penalty notice for an infringement is, in each case, effective, proportionate and dissuasive. In this context:

• ‘Effective’ means that imposing a fine achieves the objective of ensuring compliance with data protection legislation or providing an appropriate sanction for the infringement (or both).
• ‘Proportionate’ means that imposing a fine does not exceed what is appropriate and necessary in the circumstances to meet those objectives. In considering whether imposing a fine is proportionate, the Commissioner will consider all the relevant circumstances, including:

• • the seriousness of the infringement
  • the harm or other impact on data subjects
  • the controller or processor’s size and financial position.
• ‘Dissuasive’ means that imposing a fine is a genuine deterrent to future non-compliance. The intention behind ensuring fines are ‘dissuasive’ is to promote compliance with data protection legislation. There are two aspects to deterrence in this context. First, there is a need to deter the controller or processor that is the subject of the fine from engaging in same infringing conduct again (referred to as ‘specific deterrence’). Second, there is a need to deter others from committing the same infringement in the future (referred to as ‘general deterrence’).

Calculation of the fine

If the ICO decides to issue a penalty notice, the fine amount will be calculated by applying the following five step approach:

1. Assessment of the seriousness of the infringement
2. Accounting for turnover (where the controller or processor is part of an undertaking)
3. Calculation of the starting point having regard to the seriousness of the infringement and, where relevant, the turnover of the undertaking
4. Adjustment to consider any aggravating or mitigating factors
5. Assessment of whether the fine is effective, proportionate and dissuasive.

In conclusion, understanding the potential fines for breaching GDPR is crucial for organisations aiming to maintain compliance with data protection regulations. The ICO’s newly published data protection fining guidance offers valuable insights into how penalties are determined, and fines calculated.

Key factors such as the nature and severity of the infringement, intentional or negligent conduct, and cooperation with the ICO are carefully considered in the assessment process. Additionally, aggravating or mitigating factors play a significant role in determining the final fine amount.

Furthermore, fines are calculated with the aim of being effective, proportionate, and dissuasive, ensuring they serve as a deterrent against future non-compliance. The ICO employs a structured five-step approach to calculate fines, taking into account the seriousness of the infringement and the financial position of the organisation.

By adhering to this guidance and understanding the factors involved, organisations can better mitigate their financial risk and work towards maintaining robust data protection practices.