What are the fines for infringement?

Under the Data Protection Act 2018 (UK GDPR) if a business, whether a controller or a processor, infringes the UK GDPR it could be liable for a substantial fine, and also potentially having to pay compensation to data subjects who have suffered material or non-material damage as a result of their infringement.

The ICO also has the following powers:

  • Investigative – for example, the ICO can carry out data protection audits on controllers or processors, and obtain access from a controller or process to all necessary personal data and information for it to undertake its tasks.
  • Corrective – for example, the ICO can issue warnings to controllers or processors that their intended processing operations are likely to infringe the UK GDPR, or impose a temporary or definitive limitation including a ban on processing.

Turning back to the fines. The UK GDPR has two levels of fine, depending on which provisions of the UK GDPR you fail to comply with:

  • the greater of £8.7m (€10m) or 2% of your total worldwide annual turnover in the preceding financial year (e.g. infringing your obligations relating to (i) data protection by design and default, (ii) the content of your contracts with processors, and (iii) personal data breaches and notifications) or
  • the greater of £17.4 (€20m) or 4% of your total worldwide annual turnover in the preceding financial year (e.g. infringing (i) your obligations relating to obtaining consent from data subjects to process their personal data, (ii) data subjects rights and (iii) transferring personal data outside the UK).

A controller or processor that can prove that it is in no way responsible for the event giving rise to the damage will be exempt from liability.

If you do end up on the wrong side on the UK GDPR, the following will be taken into account by the ICO when deciding whether to impose an administrative fine and if so how much:

  • the nature, gravity and duration of the infringement, taking into account:
    • the nature, scope or purpose of the processing
    • the number of data subjects affected and
    • the level of damage suffered by the data subjects
  • the intentional or negligent character of the infringement
  • any action taken by you to mitigate the damage suffered by data subjects
  • the degree of your responsibility taking into account technical and organisational measures that you have implemented in relation to data protection by design and security
  • any relevant other UK GDPR infringements
  • your cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • the categories of personal data affected by the infringement
  • the manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, you notified the ICO
  • if the ICO has issued previous warnings or reprimands to you in relation to the same subject-matter, whether or not you have complied with those measures
  • if you adhere to any approved codes of conduct or certification mechanisms and
  • any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

The UK GDPR requires the ICO to ensure that ‘imposition of administrative fines …. shall in each individual case be effective, proportionate and dissuasive’.

In addition, if you intentionally or negligently, for the same or linked processing operations, infringe several provisions of the UK GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

ICO Regulatory Action Plan

The ICO has produced a Regulatory Action Plan which, amongst other things, seeks to “set out the nature of the ICO’s various powers in one place and to be clear and consistent about when and how we use them” as well as “ensure that we take fair, proportionate and timely regulatory action with a view to guaranteeing that individuals’ information rights are properly protected”. 

The plan sets out when the ICO will issue information, assessment, enforcement notices and penalty notices. In relation to penalty notices, under which fines are issued, the ICO intends to use these for the most severe breaches, which typically involve “wilful, deliberate or negligent acts, or repeated breaches of information rights obligations, causing harm or damage to individuals”. However, the ICO states that its “risk-based approach” means that it is “more likely that a penalty will be imposed where, for example:

  • a number of individuals have been affected
  • there has been a degree of damage or harm (which may include distress and/or embarrassment)
  • sensitive personal data has been involved
  • there has been a failure to comply with an information notice, an assessment notice or an enforcement notice
  • there has been a repeated breach of obligations or a failure to rectify a previously identified problem or follow previous recommendations
  • wilful action (including inaction) is a feature of the case
  • there has been a failure to apply reasonable measures (including relating to privacy by design) to mitigate any breach (or the possibility of it) and
  • there has been a failure to implement the accountability provisions of the UK GDPR”.

The ICO issued its first enforcement notice under the UK GDPR against AggregateIQ Services Ltd (a Canadian company located outside the EU) to require it to stop processing retained UK citizen personal data in the wake of the misuse of data analytics for political purposes during the EU Referendum.

The ICO’s regulatory plan achieves its aim to be “effective, proportionate, dissuasive and consistent” in its “approach of sanctions, targeting our most significant powers .. for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data, and where formal regulatory action serves as an important deterrent to those who risk non-compliance with the law.” The ICO’s intention is not constrain “commercial enterprise … by red tape, or concern that sanctions will be used disproportionately”, but it makes it clear that it will be “as robust as we need to be in upholding the law”.

What should business do?

Take note of the ICO’s regulatory plan when building, implementing and maintaining your internal and external GDPR compliance measures.  The ICO’s fines are not, and never have been, reserved for large corporates with deep pockets. 

Individuals are also much more aware of their data protection rights and this is evident from the number of data subject access requests that have been made since the UK GDPR came into effect.  It’s not just the ICO that you need to be conscious of.

Invest your time, effort and money in compliance now – infringing the UK GDPR will damage your reputation and brand in a heartbeat.

If you would like any further guidance on the ICO’s enforcement powers, or the UK GDPR generally, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.