ICO seeks feedback on its draft fining guidance

When calculating an appropriate level of a fine, the ICO starts with an assessment of the seriousness of the infringement, taking into account all the relevant circumstances of the individual case. There is no pre-set ‘tariff’ of starting points for different types of infringement, the ICO says, but it has issued figures that are the starting amount for the fines based on the seriousness of the infringement.

The ICO expands on its thinking about mitigating and aggravating factors when deciding on the level of a fine. Aggravating factors include any economic or financial benefit obtained as a result of the infringement.

“If a controller or processor profits from an infringement, the Commissioner is likely to give this significant weight as an aggravating factor. In order to be effective, proportionate and dissuasive, any fine should ensure that controllers and processors are not in a position to make a profit or otherwise benefit financially from infringing data protection law. The Commissioner is therefore likely to investigate any economic or financial benefits that may have accrued to the controller or processor, including costs saved from any failure to invest in appropriate measures. The Commissioner recognises that in some cases it may not be possible to precisely quantify any such benefits,” the ICO says.

The ICO may give weight to a controller’s or processor’s engagement and cooperation with another appropriate body as a mitigating factor, especially in terms of cyber security and notifications to the National Cyber Security Centre. The ICO also lists many other examples of aggravating and mitigating factors, including adherence to Codes of Conduct.

See: Draft Data Protection Fining Guidance