At the end of last year, the Information Commissioner’s Office (“ICO”) released its draft Data Protection Fining Guidance (“Guidance”) for consultation, shedding light on crucial aspects of data protection fines. As a law firm deeply engaged in data protection matters, we participated in this consultation and offered our insights and feedback on the Guidance.
The ICO’s draft Guidance aims to explain:
the legal framework that gives the ICO the power to impose fines;
the circumstances in which the ICO would consider it appropriate to issue a penalty notice; and
how the ICO calculates the appropriate amount of the fine.
A few examples of Aria Grace Law CIC’s thoughts on the guidance are as follows:
1. Clarity on "linked" conduct
In response to the ICO’s question regarding comments on their approach to fines in case of multiple infringements by an organisation, we advocated for clearer guidance regarding “linked” conduct. This clarification is crucial to address the potential ambiguity arising from organisational operations and data protection principles. Specifically, we seek clarification on how the ICO distinguishes between separate infringements and “linked” conduct within the same organisation.
This is important as each infringement could incur penalties up to the statutory maximum, potentially resulting in a cumulative penalty exceeding the gravest infringement’s specified amount. A clearer representation of these concepts would provide much-needed clarity and guidance for organisations navigating data protection compliance.
2. Assessment of infringement seriousness
In response to the ICO’s question regarding comments on their approach to assessing the seriousness of an infringement, we recommended explicit reference to and examples of the various categories of data subjects affected, rather than solely focusing on the categories of personal data impacted. Our suggestion stemmed from the recognition that certain data subjects may be more vulnerable than others.
3. Resource consideration
In response to the ICO’s question about assessing aggravating and mitigating factors, we appreciated their acknowledgement of organisational size and resources, as well as processing nature and purpose. However, we recommended a clearer definition of “resources” and whether it refers to funds, employees, contractors and/or systems. We suggested clarity on penalties for organisations unable to afford dedicated personnel for functions like IT security or compliance officers due to limited resources.
We also questioned potential penalties for organisations unable to appoint a Data Protection Officer due to resource constraints despite their compliance commitment. These concerns highlighted the challenge of compliance amidst resource limitations, necessitating a balanced regulatory approach.
4. Clarifying mitigating factors
In response to the ICO’s question about comments on their approach to assessing the effectiveness, proportionality and dissuasiveness of fines, we offered insights regarding mitigating factors outlined in paragraphs 91 and 92.
Paragraph 91 of the ICO’s Guidance highlighted that bringing a violation to the ICO’s attention may be considered a mitigating factor. However, paragraph 92 clarified that this provision would not apply if an organisation were obligated to inform the ICO due to statutory requirements.
We suggested that the ICO provide examples in paragraph 91 to elucidate scenarios where organisations would voluntarily engage with the ICO regarding violations, excluding instances mandated by statute. By offering clarity on when such voluntary communication is expected, organisations can better understand the ICO’s expectations beyond statutory obligations.
5. Transparency and guidance
In response to the ICO’s question regarding comments on the section on “Circumstances in which the Commission would consider it appropriate to issue a penalty notice”, we proposed two key enhancements. We suggested the ICO consider eferring to and providing examples of the different categories of data subjects affected, rather than only the categories of personal data affected.
We also recommended the incorporation of examples from previous enforcement actions, illustrating instances where the ICO identified aggravated and mitigating factors. By showcasing real-life examples, organisations can gain valuable insights into how the ICO assesses such factors, facilitating better compliance and risk management strategies.
6. Improving support for financial hardship
In response to the ICO’s question about comments on their approach to financial hardship, we suggested enhancements to better support organisations facing financial challenges. We recommended the ICO provide more detailed information on the types of payment plans available to organisations granted financial hardship. Many struggling organisations may lack the financial expertise to devise suitable payment plans independently. Examples of past payment plans, along with their structures (e.g., specific amounts due in different months), would offer valuable guidance.
Small organisations, particularly start-ups with cash-flow issues, would benefit from greater clarity on payment plans in the event of receiving a penalty notice. By providing comprehensive information and examples, the ICO can assist organisations in navigating financial hardship and ensure fair and manageable resolutions for all parties involved.
Next steps
As the ICO prepares to publish the final Guidance, Aria Grace Law CIC remains committed to supporting organisations in navigating the complexities of data protection laws and regulations. By engaging with the ICO’s on its draft Guidance and offering constructive feedback, we aim to contribute to the development of robust data protection practices that benefit organisations and individuals alike.
Contact us today at privacy@aria-grace.com for expert guidance on data protection laws and regulations, compliance strategies and personalised assistance. Let us help you safeguard your data and uphold best practices for privacy and security in your organisation.
Article by Lindsay Healy (Partner), Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 11 March 2024