ICO Muscle Flexing – Draft Guidance on Regulatory Action

ICO Muscle Flexing – Draft Guidance on Regulatory Action

Recent months have seen the media awash with warnings of the heightened data breach risks as many of us adapt to working from home. What an opportune moment then for the ICO to publish for consultation its draft guidance on how it will regulate and enforce data privacy laws in the UK post-Brexit, including issuing penalty notices for such breaches. Once finalised, the guidance will complement the ICO’s Regulatory Action Policy, setting out the watchdog’s  approach to the use of its regulatory tool kit and the punitive power it wields.

The draft guidance could easily be described as an amalgamation of ICO guidance which is already available in the public domain. There is no paucity of information on the ICO’s website about how it issues enforcement notices and orders. Once finalised (anticipated after 31 December 2020), the new guidance should make it easier for firms and individuals to understand how the ICO will deal with them should they breach UK data privacy legislation.

Financial Penalties – Nine Step Calculation

So what is new? As well as setting out when and how the regulator will deploy assessment and enforcement notices, the ICO proposes a “nine step mechanism” to determine penalty levels. The penalty decision will be made by an appropriate person within the regulator’s ranks, taking the following into consideration: the seriousness of the contravention; the degree of culpability of the organisation concerned; the ICO’s determination of turnover; any aggravating or mitigating factors or both; the means of the organisation to pay; the economic impact; the effectiveness, proportionality and dissuasiveness of any penalty; and finally, any early payment reduction.

The factors above will be folded into a “nine step mechanism” to determine the final penalty amount:

  1. Assessment of seriousness
  2. Assessment of degree of culpability
  3. Determination of turnover
  4. Calculation of an appropriate starting point
  5. Consideration of relevant aggravating and mitigating features
  6. Consideration of financial means
  7. Assessment of economic impact
  8. Assessment of effectiveness, proportionality, dissuasiveness
  9. Early payment reduction

The way the ICO has proposed to deal with step four – calculating an appropriate penalty starting point – is interesting. It proposes a broad range of such starting points from 0.125% of a firm’s turnover for a low degree of culpability to 3% for a high degree of culpability. By this the ICO intends to make clear  to data controllers and processors the process by which it will calculate penalties, giving welcome certainty in an otherwise principles-based regulatory regime.

In the face of the current economic downturn the financial climate for companies is already looking difficult. The last thing they would want is a hefty fine for a data breach. The ICO claims in the draft guidance that its approach is designed to create an environment in which data subjects are protected, while ensuring businesses are able to operate and innovate efficiently in the digital age. The ICO has also promised that it will be a “pragmatic and proportionate” regulator during the Covid-19 pandemic. While not loosening its grip completely, it has suggested that it will exercise some leniency during this time. The draft guidance goes some way to providing all parties with a degree of confidence in navigating the future. In the meantime, firms will do well to ensure that their data security programmes and systems are fully compliant with their data protection obligations to ensure they are able to meet the regulatory challenges ahead.


About the author:

Guevara Leacock is a legal assistant specialising in all aspects of white-collar crime; corporate investigations; dispute resolution; and regulatory law. He has been involved in matters concerning the FCA, HMRC, SFO, Private Prosecutions, Directors’ liability and Extradition.