The Information Commissioner’s Office (ICO) is consulting on new draft guidance about how we decide to issue penalty notices and calculate fines under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).
We refer to this new guidance as the draft Data Protection Fining Guidance. It explains:
- the legal framework that gives the Information Commissioner the power to impose fines;
- the circumstances in which the Information Commissioner would consider it appropriate to issue a penalty notice; and
- how the Information Commissioner calculates the appropriate amount of the fine.
We are seeking views on the draft Data Protection Fining Guidance. The consultation will run for eight weeks from 2 October to 27 November 2023. Details about how to respond to the consultation are set out further below.
The Data Protection Fining Guidance, when finalised, will replace the parts of the Regulatory Action Policy that explain our current approach to imposing and calculating fines. The following statutory guidance in the Regulatory Action Policy relating to fines will therefore remain in place:
- when we will allow oral representations following a notice of intent to issue a penalty notice;
- how we will proceed if the fine is not paid; and
- the guidance on fixed fines for failure to pay the data protection fee.
In due course, we plan to consult on new procedural guidance that will incorporate the other statutory guidance about regulatory action required by DPA 2018. The new procedural guidance will replace the statutory guidance currently set out in the Regulatory Action Policy. This consultation on the draft Data Protection Finding Guidance and any future consultation on new procedural guidance supersedes the previous consultations about the ICO’s regulatory action policy and statutory guidance.
The draft Data Protection Fining Guidance is relevant to all controllers and processors. It does not change the ICO’s current approach to public sector enforcement, outlined by the Commissioner in June 2022.
The draft Data Protection Fining Guidance only applies in relation to fines imposed under UK GDPR and DPA 2018. It is not applicable to fines under the Privacy and Electronic Communications Regulations 2003.
Responding to the consultation
You can respond to the consultation in the following ways.
By responding to the question in our online survey, available through this link: Draft ICO Data Protection Fining Guidance.
Alternatively, you can download the consultation questions Word document and either email your response to [email protected] (as a Word document or text-searchable PDF) or print your response and post it to:
DP Fining Guidance Team (Legal Service)
Information Commissioner’s Office
You do not need to answer every question. However, please provide supporting evidence for your views where appropriate.
The consultation will close on 27 November 2023. We may not consider responses submitted after this deadline.
Please state whether you are responding on behalf of an organisation, in your professional capacity or as a private individual. If you are responding on behalf of an organisation, please make it clear who you are representing and, where applicable, how the views of the members of the organisation were obtained.
If you have any questions about the consultation, please email: [email protected].
We will publish the responses to the consultation. This helps to make the consultation process more transparent, allowing people to more easily see how we have taken their views into account.
If your response contains any information that you regard as sensitive and would not wish to be published, please also provide a non-confidential version suitable for publication and explain why you regard the excluded information to be confidential. Alternatively, you may provide any information you consider to be confidential in an annex to your response.
If you are responding to the consultation on behalf of an organisation, we will publish the name of the organisation. If you are responding as an individual we will not publish your name unless you tell us you would like us to. However, if you are responding as an individual in your professional capacity, we may publish your job title – for example, ‘a response from a Data Protection Officer’. We will not publish individuals’ contact details, including addresses, telephone numbers or email addresses.
The ICO is subject to section 132 DPA 2018 in relation to confidentiality of information. However, any information we receive as part of a consultation may be subject to a freedom of information request under the Freedom of Information Act 2000. We will endeavour to contact you if we are asked to disclose information you have told us is confidential and not suitable for publication, so that we can take your views into account when assessing how we respond to the request.
After the consultation
We will carefully consider the responses we receive to the consultation and will take these into account in deciding whether any changes are necessary to the draft Data Protection Finding Guidance.