The ICO exists to empower you through information.

We received 26 responses to the public consultation. Of these, 21 were made on behalf of organisations, three were from individuals acting in a professional capacity, and two were from individuals acting in a private capacity. 

A full list of respondents is provided, along with non-confidential versions of their responses (see List of Respondents).

Generally, the responses were positive, with many respondents welcoming the clarity the Fining Guidance brings and commenting on the reasonable and sensible approach that it takes. Several respondents also suggested changes and clarification or requested that additional examples be included.

In analysing these responses, we identified several key themes. We have summarised these themes below, and have also set out our responses to this feedback. 

The main changes that we have made in response to the feedback received during the consultation are to add additional explanation to clarify: 

    • the evidence the ICO is likely to consider when deciding whether a parent company has decisive influence over a controller or processor (paragraph 29 of the Fining Guidance); 
    • the ICO’s approach in circumstances where more than one infringement arises from the ‘same or linked’ conduct (paragraphs 41 and 42 of the Fining Guidance);
    • the ICO’s approach in circumstances where there are separate infringements arising from separate conduct (paragraph 45 of the Fining Guidance);
    • the evidence the ICO is likely to consider when assessing whether an infringement has been committed intentionally or negligently, including where there are joint controllers (paragraphs 67 and 69);
    • that a controller is still able to benefit from a mitigating factor based on action it has taken to mitigate the damage suffered by data subjects following a personal data breach, even if that mitigating action takes place after it has notified the ICO (paragraph 77); 
    • the use of management accounts or forecast figures for the purpose of calculating turnover where audited accounts are not available (paragraph 123); and 
    • the use of statutory information notices to obtain financial information, if necessary (paragraph 125). 

We appreciate that worked examples can be useful when reading guidance. However, we have not added additional illustrative examples to the Fining Guidance at this stage. We will consider doing so when we have experience of applying the guidance in practice and will keep this under review.

The final Data Protection Fining Guidance is available on the ICO website.