New guidance from the ICO – finally some clarity on GDPR fines?

The ICO has published draft Statutory Guidance, which details how it will regulate and enforce data protection legislation in the UK. The guidance, which together with the ICO's existing Regulatory Action Policy (itself under review), sets out how the ICO will operate and is subject to an ongoing Consultation. Written responses can be submitted by any interested parties, including data controllers and members of the public. The consultation is open until 5pm on Thursday 12 November.

Much of the new guidance is a blend of information that was already available from various ICO sources, but - interestingly for our purposes - it does contain material new information on how the ICO will go about running its enforcement function and, more specifically, the framework it will use when determining the appropriate amount to fine firms that are in breach of their GDPR obligations.

The ICO says it will follow a "nine-step mechanism" when calculating proposed monetary penalties. Those nine steps are as follows:

1. Assessment of seriousness

2. Assessment of degree of culpability

3. Determination of turnover

4. Calculation of an appropriate starting point

5. Consideration of relevant aggravating and mitigating features

6. Consideration of financial means

7. Assessment of economic impact

8. Assessment of effectiveness, proportionality, dissuasiveness

9. Early payment reduction

The guidance on Step 4 above - calculating the specific starting point for a fine - and particularly the graphic below is likely to be the section of the guidance of most interest to most firms.

What this shows is that the ICO will consider a  broad range of monetary penalty starting points, ranging from 0.125% of the relevant turnover (where the seriousness of the breach and the culpability of the controller are low) to 3% of the relevant turnover (where the seriousness of the breach and the culpability of the controller are high). This is not the be-all-and-end-all. Much of the calculation on any fine on any particular breach will be driven by a case-specific assessment of aggravating and mitigating factors. However, we know clients in all sectors are interested in understanding the financial impact of ICO investigations and this guidance will undoubtedly prove useful in doing so.

It also provides us with the opportunity to speculate on the ICO's interpretation of the British Airway's data breach. The ICO's initial announcement stated it intended to fine BA £183.39m in respect of the well-publicised data breach, in which, beginning in June 2018, the data of 500,000 customers was compromised (see our article here). That fine was reported as amounting to approximately 1.5% of BA's worldwide turnover. Presuming the ICO's thinking on starting points has not changed dramatically since Summer 2019 that would suggest it considered the BA breach to have high seriousness (which would make sense given the scale of the breach) and to be negligent (which we cannot know pending the delivery of the enforcement notice but would reflect some of the contemporaneous news reporting).

As we have recently noted it now appears likely that BA's fine will end up having fallen by around 90%, from £183.39m to c.£19.8m (though this remains unannounced and is clearly still uncertain). That figure, if the original intended fine equated to 1.5% of global revenue, itself equates to a bit less than 0.15% of global revenue. This could be taken to indicate that the process of negotiations has moved the ICO's starting point rather considerably across the above matrix.

Alternatively, and perhaps more likely, that reduction may reflect another part of the guidance. The ICO has expressly included at 'Step 6' and 'Step 7' of its process that, when calculating a fine or generally exercising its regulatory functions, it must consider both the financial means of the fined entity and any economic impact on the wider sector, or related regulatory impact of the proposed penalty beyond the organisation or individuals the penalty is imposed upon. This latter process, which stems from the Deregulation Act 2015 (the purpose of which is "to make provision for the reduction of burdens resulting from legislation for businesses") may be taken to reflect the changing nature of the UK government's approach to data and regulation of the same. Both would undoubtedly have been significant given the state of the travel industry following from the COVID-19 pandemic.

Ultimately, it is not remotely surprising (and is surely right) that the ICO will consider ability to pay and the potential impact of regulatory fines more broadly. But the potential reduction of BA's fine by c.90%, which it is speculated may largely be linked to the impact of the COVID-19 pandemic rather than other factors, emphasises its potential significance. It's easy to see how any such precedent will be viewed by other companies under investigation and how significant - even in more normal circumstances - this change could be.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.