The ICO has published guidance revealing how it will enforce data protection legislation.
The guidance, which explains the ICO’s powers, when it will use them and how it calculates fines, contains a “nine-step mechanism” for calculating fines, which is:
- Assessment of seriousness
- Assessment of degree of culpability
- Determination of turnover
- Calculation of an appropriate starting point
- Consideration of relevant aggravating and mitigating features
- Consideration of financial means
- Assessment of financial means
- Assessment of economic impact
- Assessment of effectiveness, proportionality, dissuasiveness
- Early payment reduction
Insight
The ICO has created a matrix to calculate the appropriate starting point for fines, in addition to which there will still be case-specific assessment of aggravating and mitigating factors to apply after that.
In addition, the ICO has included in this guidance how, when calculating a fine, it must consider the desirability of promoting economic growth. This may be a nod to the damage caused to the economy by COVID-19.
If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.
Further reading:
Marketing email error leads to fine from the ICO
Contact tracing guidance for collecting personal data
ICO reveals how it will enforce data protection legislation
ICO updates its regulatory approach in response to coronavirus