The new guidance is not an overhaul of the existing regulatory regime, but it does present some useful insights into how GDPR fines will likely be calculated. The draft guidance is a requirement of the Data Protection Act 2018, and explains how the ICO will exercise its regulatory functions when issuing information notices, assessment notices enforcement notices and penalty notices. The UK Information Commissioner, Elizabeth Denham, stated that the Guidance 'set outs our proportionate approach to regulatory action, yet details the robust action we will take against those that flout the law'. The ICO will use responses to the consultation to understand the areas where further clarity is required.
Information notices
An information notice is a formal request to a data controller, processor or individual to provide the ICO with information within a specific timeframe in order to assist with an ICO investigation.
The draft guidance states that while information notices may be served at the ICO’s discretion, it will consider the proportionality of serving one, taking into account the public interest in the response and the risk of harm to individuals posed by the processing under investigation, among other factors. If the request is not complied with, the ICO may apply for a court order requiring a response and may also consider issuing a penalty notice.
Assessment notices
An assessment notice is issued to a data controller or processor to notify them that the ICO is assessing whether they are compliant with data protection legislation. The notice may require access to premises, documentation and equipment.
The draft guidance gives further examples as to the types of information and documentation it may require access to, including an organisation’s strategies, codes of practice, training materials, contracts, DPIAs, breach logs and information with a high level of commercial sensitivity. The ICO’s assessment may also include interviews of departmental managers, operational staff, support staff as well as staff involved with information governance. Again, if the request is not complied with, the ICO may apply for a court order requiring the organisation to supply the information requested, or the ICO may apply for a warrant to gain access to premises. If an organisation fails to comply with an assessment notice, a penalty notice may be issued. The outcome of the assessment is an audit report which is shared with the organisation and will include recommendations to address any weaknesses or compliance issues identified during the assessment.
Enforcement notices
The ICO will issue an enforcement notice to a data controller or processor if they have breached one of the data protection principles. The purpose of an enforcement notice is to mandate action, or stop something happening, such as data processing or a data transfer.
The draft guidance states that the use of enforcement notices will usually be appropriate where there has been repeated failure to meet information rights obligations or timescales for them, such as repeated delays in responding to subject access requests, serious ongoing infringements to the rights and freedoms of individuals or failure of an international transfer to meet the requirements under data protection law. Timescales set out in an enforcement notice will reflect the imminence of the proposed action that could lead to a breach of obligations, the severity and scale of any breach and feasibility of any correcting measures. Non-compliance with an enforcement action may lead to the issuance of a penalty notice.
Penalty notices
A penalty notice is reserved for the most serious breaches of data protection law and can be served on both data controllers and processors. It is a formal document setting out the ICO’s intention to fine an organisation for a breach of data protection law and is intended to punish the organisation. Usually, a penalty notice is used for intentional or negligent acts or repeated breaches, but can also be issued whether there is a lower level of impact across many individuals, the totality of which results in substantial damage.
The draft guidance sets out the ICO’s risk-based approach and the higher likelihood that a fine will be imposed where, for example, special-category data is involved, many individuals are affected, there has been a failure to mitigate and the organisation is highly culpable for the breach.
The maximum amount of any penalty depends on the type of breach and whether the ‘standard maximum amount’ (€10 million Euros or 2 per cent of turnover) or ‘higher maximum amount’ (€20 million or 4 per cent of turnover) applies. In order to determine the amount of the penalty to be imposed, the ICO will follow a nine step process:
- Assessment of seriousness taking into account the nature, gravity and duration of the failure, any relevant previous failures and the categories of personal data affected by the failure, among other factors.
- Assessment of degree of culpability will be considered, taking into account technical and organisational measures implemented by the organisation.
- Determination of turnover using relevant accounts and expert financial or accountancy advice.
- Calculation of an appropriate starting point based on the seriousness of the breach and the degree of culpability. There is a broad range of monetary penalty starting points on the ICO’s matrix, ranging all the way from 0.125 per cent of the relevant turnover (for a low seriousness/low degree of culpability breach) to 3 per cent of the relevant turnover (for a very high seriousness/intentional degree of culpability breach).
- Consideration of relevant aggravating and mitigating features such as financial benefits gained, or losses avoided, from the breach.
- Consideration of financial means and whether the organisation can pay the proposed penalty or whether it will cause undue financial hardship.
- Assessment of economic impact on the wider sector, or related regulatory impact of the proposed penalty.
- Assessment of effectiveness, proportionality, dissuasiveness
- Early payment reduction – the ICO will reduce the amount of the penalty by 20 per cent if payment is received within 28 days of sending the notice.
Although financial penalties are not the only tool available to the ICO, many organisations are keen to understand the financial impact of a potential ICO investigation and this draft guidance provides a glimpse as to the thought process behind any potential fines.
If you have any questions, please contact our Data Protection team.