The Information Commissioner's Office (ICO) is running a consultation on its Draft Data Protection Fining Guidance, which closes at the end of this month.

It is widely accepted that no organisation can completely guard against a data breach, and that a cyber attack is usually a matter of when, not if. While the ICO recognises this, if it finds that an organisation failed to implement appropriate technical and organisational measures to protect personal data, it has the power to impose fines of up to £17.5m, or four per cent of annual global turnover, whichever is higher.

ICO fines in relation to data breaches have figured prominently in the news recently, including:

  • British Airways fined £20m (reduced substantially from the £183m which the ICO originally intended to fine) in 2020 for security failings, exposed by a cyber attack to which it was subject in 2018.
  • Marriott International fined £18.4m (reduced from £99m) in 2020 after it was subject to a cyber attack which exposed the personal data of more than 339 million guest records.
  • TikTok was fined £12.7 million this year for misuse of children’s data under the UK GDPR (and also hit with a Є345m fine from the Irish data regulator).

These examples show just how important it is to provide clear guidance to organisations in relation to the fining regulatory landscape. They also demonstrate that the ICO is open to reducing fines where clear mitigating factors can be identified.

What is the ICO consultation about?

This consultation seeks views on the functioning and adequacy of its proposed framework fining guidance, which explains the way it imposes fines. In particular, the draft framework addresses:

  • the legal framework that gives the Information Commissioner the power to impose fines;
  • the circumstances in which the Information Commissioner would consider it appropriate to issue a penalty notice; and
  • how the Information Commissioner calculates the appropriate level of the fine, including the aggravating and mitigating factors which are applied.

Once the new guidance is finalised, this will replace the parts of the ICO’s Regulatory Action Policy which deal with imposing and calculating fines.

The consultation runs for eight weeks from 2 October and will formally close on 27 November 2023.

Responses can be submitted via the ICO’s website: Introduction: Data Protection Fining Guidance (smartsurvey.co.uk)

Written by

Related News, Insights & Events

RISK HORIZON SCAN 2025

Risk horizon scan: 2025

January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.

Read more
Cyber Security Looking Back On 2024 And What Businesses Can Expect In 2025

Cyber security – looking back on 2024 and what businesses can expect in 2025

2024 was another year in which UK businesses battled to combat cyber security threats, which continue to impact organisations of all sizes across all sectors.

Read more
Scotland’S First Visitor Levy – How Did We Get Here

Scotland’s first Visitor Levy – How did we get here?

In the coming weeks, the City of Edinburgh Council (“CEC”) is set to introduce Scotland’s first Visitor Levy.

Read more

Want to hear more from us?

Subscribe here