New penalty guidance issued by the Information Commissioner

The Information Commissioner (the ‘Commissioner’) has issued updated guidance on when issuing a penalty notice is appropriate and the approach to determining the penalty value. 

When a penalty notice may be issued 

The Commissioner may use its discretion to issue a penalty notice in the following circumstances: 

• A controller or processor of personal data has failed, or is failing, to comply with the provisions of the UK GDPR or Data Protection Act 2018 (the ‘DPA 2018’) relating to:
  • The principles of processing;  
  • Rights conferred on data subjects; 
  • Obligations placed on data controllers of processors, such as the requirement to communicate a personal data breach to the Commissioner; or 
  • The principles of transferring personal data outside the UK. 
• A monitoring body has failed, or is failing, to comply with an obligation about the monitoring of approved codes of conduct. 
• A certification provider does not meet the requirements for accreditation or has failed to comply with obligations under the UK GDPR in relation to the certification of controllers and processors, or any other provision of the UK GDPR. 
• A data controller has failed, or is failing, to comply with a requirement to pay charges to the Commissioner. 
• A data controller, processor or individual has failed to provide information that the Commissioner reasonably requires. 
• A data controller, processor or individual has failed to allow the Commissioner to inspect or examine documents, information or equipment. 
• A data controller, processor or individual has failed to comply with a requirement set out in an enforcement notice, such as a requirement to rectify or erase personal data or otherwise comply with the UK GDPR or DPA 2018. 

When assessing whether it would be appropriate to issue a penalty notice, the Commissioner must have regard to the following: 

• The nature, gravity and duration of the infringement, with consideration to the nature, scope or purpose of the processing concerned and the number of data subjects affected.
• The intentional or negligent character of the infringement. 
• Any action taken by the data controller or processor to mitigate damage suffered by data subjects.  
• The degree of responsibility of the data controller or processor taking into account the technical and organisational measures implemented by them. 
• Any previous infringements by the data controller or processor. 
• The degree of the data controller or processor’s cooperation with the Commissioner, in order to remedy the infringement and mitigate the adverse effects of the infringement. 
• The categories of personal data affected by the infringement. 
• How the infringement became known to the Commissioner (i.e., whether the data controller or processor notified the Commissioner of the infringement themselves). 
• Whether the Commissioner has previously been required to investigate, issue warnings or reprimands, or withdraw certifications of data controllers or processors with regard to the same subject matter. 
• The data controller or processor’s compliance to their implemented codes of conduct. 
• Any other mitigating factors applicable to the circumstances of the case (e.g., financial benefits gained, or losses avoided as a result of the infringement). 

The maximum penalty amount the Commissioner may impose

The amount of the penalty that the Commissioner may impose for infringements of the UK GDPR or DPA 2018 is subject to a statutory maximum.  

Under the UK GDPR and DPA 2018, there are two levels of maximum penalty, depending on the statutory provision that has been infringed. These levels are called the ‘standard maximum amount’ and the ‘higher maximum amount’. 

The maximum penalty amount for each level differs depending on whether the data controller or processor is an ‘undertaking’ (i.e., an entity that is engaged in economic activity) as follows: 

• The standard maximum amount is £8.7 million, or in the case of an undertaking, the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year. 
• The higher maximum amount is £17.5 million, or in the case of an undertaking, the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year. 

The Commissioner’s approach where there is more than one infringement by the data controller or processor 

Where the Commissioner finds that the same or linked processing operations infringe more than one of the UK GDPR provisions, the overall penalty imposed by the Commissioner in relation to these infringements must not exceed the maximum statutory amount which applies to the most serious of the individual infringements identified. 

However, if different forms of conduct by a data controller or processor infringe separate provisions of the UK GDPR or the DPA 2018 (i.e., the forms of processing are not sufficiently linked), each infringement would be subject to the relevant statutory maximum amount. Unlike the above scenario, this total amount of the penalty may exceed the amount specified for the gravest infringement. 

How the value of a penalty is determined

When the Commissioner determines that it is appropriate to issue a penalty notice, the penalty value will be calculated by applying the following approach: 

1. Assessment of the seriousness of the infringement 

The Commissioner will first categorise the infringement according to its degree of seriousness and apply a starting point based on a percentage of the relevant applicable statutory maximum.  The Commissioner will use the following categories to determine the starting point:

• For infringements with a high degree of seriousness, the Commissioner will use a starting point of between 20% and 100% of the relevant legal maximum (the fixed amount standard maximum is £1.74 million to £8.7 million, and the higher maximum is £3.5 million to £17.5 million).
• For infringements that have a medium degree of seriousness, the Commissioner will use a starting point of between 10% or 20% of the relevant legal maximum (the fixed amount standard maximum is £870,000 to £1.74 million, and the higher maximum is £1.75 million to £3.5 million).
• For infringements that have a lower degree of seriousness, the Commissioner will use a starting point of between 0% and 10% of the relevant maximum (the fixed amount standard maximum is up to £870,000, and the higher maximum is up to £1.75 million). 

By way of example: if the Commissioner decided that an infringement falling within the high degree of seriousness category warranted a starting point of 40% of the higher maximum amount (falling within the 20% to 100% range) for a controller or processor, this would equate to a starting point of £7 million (being 40% of £17.5 million). 

2. Consideration of turnover (whether the controller or processor is part of an undertaking).

The Commissioner will determine the undertaking's total worldwide annual turnover in its previous financial year, and then consider whether to adjust the starting point to reflect the size of the undertaking. If a data controller or processor is not an undertaking and therefore does not have turnover, the Commissioner may consider other indicators of its financial position such as assets, funding or administrative budget.  

3. Calculation of the starting point with mind to the seriousness of the infringement and, where relevant, the turnover of the undertaking.

The Commissioner will calculate the starting point of the fine based on the outcome of Step 1 and Step 2 above (where the statutory maximum is a fixed amount, this will be the statutory maximum amount (fixed) x any adjustment for seriousness x any turnover adjustment). 

4. Adjustment to take into account any aggravating or mitigating factors. 

The Commissioner will take into account whether there are any relevant aggravating or mitigating factors which may warrant an increase or decrease in the level of fine calculated above. 

5. Assessment as to whether the fine is effective, proportionate and dissuasive. 

The final step allows the Commissioner to increase or decrease the penalty as necessary, having regard to all the relevant circumstances of each individual case. The Commissioner will consider: 

• Whether the fine amount is effective in ensuring compliance with data protection legislation or providing an appropriate sanction for each infringement. 
• Whether the fine amount is sufficient to deter the controller or processor from infringing data protection law in the future (taking into account its size and financial position). 
• Whether the fine amount is proportionate. This assessment is subjective and involves the exercise of the Commissioner’s judgement and discretion in light of the specific context of the infringement. 

In exceptional circumstances, the Commissioner may reduce a penalty where an organisation or individual is unable to pay because of their financial position. The organisation or individual concerned will need to make a claim for financial hardship and will carry the burden of proving that their situation merits such a reduction. 

For more information, please contact Hetal Ruparelia or Georgia Maskell.