We are currently consulting on this draft guidance.
- Section 155 DPA 2018 requires the Commissioner to consider whether issuing a penalty notice for an infringement is, in each case, effective, proportionate and dissuasive. 79
- In this context:
-
- ‘Effective’ means that imposing a fine achieves the objective of ensuring compliance with data protection legislation or providing an appropriate sanction for the infringement (or both).
- ‘Proportionate’ means that imposing a fine does not exceed what is appropriate and necessary in the circumstances to meet those objectives. In considering whether imposing a fine is proportionate, the Commissioner will take into account all the relevant circumstances, including:
- the seriousness of the infringement;
- the harm or other impact on data subjects; and
- the controller or processor’s size and financial position.
- ‘Dissuasive’ means that imposing a fine is a genuine deterrent to future non-compliance. The intention behind ensuring fines are ‘dissuasive’ is to promote compliance with data protection legislation. There are two aspects to deterrence in this context. First, there is a need to deter the controller or processor that is the subject of the fine from engaging in same infringing conduct again (referred to as ‘specific deterrence’). Second, there is a need to deter others from committing the same infringement in the future (referred to as ‘general deterrence’).
- The Commissioner’s decision about whether to issue a penalty notice is a matter of evaluation and judgement. There is a degree of overlap between the concepts of effectiveness, proportionality and dissuasiveness. In making the decision, the Commissioner will first consider whether issuing a penalty notice is effective and dissuasive, before then considering whether it is proportionate to do so. As explained in Calculation of the appropriate amount of the fine below, the Commissioner will also have regard to effectiveness, proportionality and dissuasiveness in deciding on the appropriate fine amount.
- The Commissioner will, in particular, consider the importance of imposing a fine only when it is needed and that any action taken is proportionate. In considering whether issuing a penalty notice and the fine amount is effective, proportionate and dissuasive, the Commissioner will have regard to the desirability of promoting economic growth, as required under section 108 of the Deregulation Act 2015. However, the Commissioner is mindful that the growth duty does not legitimise non-compliance with data protection law. 80 Non-compliant activity or behaviour undermines protections to the detriment of people as both data subjects and consumers. It also harms the interests of legitimate businesses that are working to comply with data protection law, which disrupts competition and acts as a disincentive to invest in compliance. 81
79 In relation to UK GDPR see section 155(2)(a) and Article 83(1) UK GDPR; in relation to Part 3 and Part 4 DPA 2018 see section 155(3)(l) DPA 2018.
80 Department for Business, Energy & Industrial Strategy, Growth Duty: Statutory Guidance under section 110(6) of the Deregulation Act 2015, paragraph 1.5.
81 Department for Business, Energy & Industrial Strategy, Growth Duty: Statutory Guidance under section 110(6) of the Deregulation Act 2015, paragraph 1.4.