Organisations which find themselves in breach of GDPR have finally been given the inside track on how the Information Commissioner’s Office calculates fines, although those hoping for a simple solution could be left scratching their heads.
The “fine calculator” has been revealed in the ICO’s consultation on draft statutory guidance, launched earlier this month and is only in draft form at this stage. The consultation closes on November 12 2020.
The ICO’s draft guidance sets out nine steps which it will factor into the calculation of a fine for non-compliance with GDPR, including seriousness, culpability, aggravating and mitigating factors, economic impact and dissuasiveness.
These steps will be applied to all GDPR fines, which come in two levels: the “standard maximum amount” is €20m or 4% of annual global turnover (whichever is greater) and the “higher maximum amount” of €10m or 2% of annual global turnover.
However, there are three steps that will be considered initially to enable the ICO to identify its “starting point”.
The seriousness of the incident: Factors including the nature, gravity, and duration of the failure; any action taken by the data controller or processor to mitigate the damage suffered by consumers; the degree of cooperation with the ICO; and the way the breach became known to the ICO, including whether the data controller or processor self-reported the incident.
Culpability: The ICO will also take into account the intentional or negligent character of the breach; specifically whether the organisation was intentional or negligent about its responsibility.
Turnover: The ICO will review relevant accounts and obtain financial, or accountancy advice if required, to determine the amount of turnover (or equivalent for non-profit organisations such as the annual revenue budget and the financial means of individuals).
Where turnover is minimal, the ICO will give greater weight to other factors, such as dissuasiveness, particularly where there is a serious breach. Where there is a lack of cooperation in providing financial information, the regulator will rely on the information available or otherwise give greater weight to factors such as aggravating features.
Once the “starting point” has been identified, the ICO will then apply other factors to reach the final level of the fine.
These include aggravating and mitigating factors, such as financial benefits gained, or losses avoided, directly or indirectly, from the breach; financial means, including the likelihood of the organisation being able to pay the proposed penalty and whether it may cause undue financial hardship; the economic impact on the wider sector.
In addition, the ICO will ensure the amount of the fine proposed is effective, proportionate, and dissuasive and will adjust it accordingly.
Finally, the regulator will slash the monetary penalty by 20% if it receives full payment within 28 calendar days. However, this discount is not available if organisations appeal the fine at the First-tier Tribunal.
Commissioner Elizabeth Denham said: “The primary role of my office is to protect the rights and freedoms of individuals in the digital age, and this draft guidance explains how my office will achieve this.
“It sets out our proportionate approach to regulatory action, yet details the robust action we will take against those that flout the law.”
One industry insider commented: “If this calculator is supposed to make it easy to work out how much you might get fined for a serious GDPR breach, I’m a monkey’s uncle. It makes Rubik’s Cube look simple.”
Others will no doubt question what all the fuss is about. After all, the ICO has only issued one fine under GDPR – a £275,000 penalty for London-based pharmacy for Doorstep Dispensaree – since the legislation came into force in May 2018.
Proposed fines against British Airways and Marriott International, totalling £282m, look no closer to being levied following a fifth delay to the final rulings.
Once more with feeling: Marriott wins new delay to fine
BA allots £20m for GDPR fine but may not pay a penny
Fresh delay to Marriott and BA fines fuels ICO criticism
‘Chicken’ ICO kicks adtech investigation into long grass
BA and Marriott block £282m GDPR fines – yet again
Hotel hell: Fresh Marriott data breach hits 5.2 million
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott