The ICO has published guidance revealing how it will enforce data protection legislation.
The guidance, which explains the ICO’s powers, when it will use them and how it calculates fines, contains a “nine-step mechanism” for calculating fines, which is:
- Assessment of seriousness
- Assessment of degree of culpability
- Determination of turnover
- Calculation of an appropriate starting point
- Consideration of relevant aggravating and mitigating features
- Consideration of financial means
- Assessment of financial means
- Assessment of economic impact
- Assessment of effectiveness, proportionality, dissuasiveness
- Early payment reduction
The ICO has created a matrix to calculate the appropriate starting point for fines, in addition to which there will still be case-specific assessment of aggravating and mitigating factors to apply after that.
In addition, the ICO has included in this guidance how, when calculating a fine, it must consider the desirability of promoting economic growth. This may be a nod to the damage caused to the economy by COVID-19.