In July 2023, the European Data Protection Board's then-recently published guidelines on the calculation of fines raised the question of what is next for the U.K., as they created a disparity between guidance available at the EU level and U.K. Under Section 160 of the Data Protection Act 2018, the U.K. Information Commissioner's Office must issue guidance on how it will calculate penalties, and once issued, they are bound to follow it or risk procedural challenges before the Tribunal or by way of Judicial Review. On 2 Oct., the ICO opened a consultation on its draft guidelines. Looking at the level of detail and practical guidance set out in the ICO draft guidelines, it is clear the ICO has sought to align with certain elements of the EDPB guidelines and considered previous feedback and criticism from its previous consultations.

Alignment with the EDPB guidelines

The U.K. General Data Protection Regulation is still aligned with the EU GDPR post-Brexit, so the maximum amounts of fines (Article 83 U.K. GDPR and Section 157 Data Protection Act 2018), the factors that must be considered when determining whether to issue a penalty notice and the amount of the fine (Articles 83(1)(2) U.K. GDPR (for processing that falls under the U.K. GDPR) or Section 155(3) DPA 2018 (for processing that falls under Parts 3 and 4 or a failure to comply with an information notice, assessment notice or enforcement notice), the position on the concept of an "undertaking," plurality of actions, are all similar to those set out under the EDPB’s guidelines.

One point to note is that the ICO flagged it does not consider itself bound by its previous decisions, but that it will ensure there is broad consistency in the approach taken when assessing whether issuing a penalty notice is appropriate. This may be explained by a desire to protect previous penalties issued under the existing penalty framework from retrospective criticism where they appear more severe than would have been the case under any new guidance.

Gravity of infringement

Similarly, to the EDPB guidelines, the ICO draft guidelines set out that when assessing the gravity of the infringement, the ICO will consider the nature, scope and purpose of the processing, as well as the number of data subjects affected, and the level of damage suffered by data subjects affected by the processing. In terms of the nature of processing, the ICO notes it may give more weight to various factors if the nature of the processing is likely to result in a high risk to data subjects, taking into account the commissioner's published guidance. The ICO provides examples of high-risk processing operations:

• The application of new or innovative technology.
• Automated decision-making.
• The use of biometric or genetic data.
• Monitoring or tracking.
• Invisible processing.

The ICO draft guidelines note the commissioner may also give more weight to this factor where there is a clear imbalance of power between the data subjects and the controller; the processing involves children's personal data; or the processing involves personal data of other vulnerable people who need extra support to protect themselves. While not necessarily intended to set out enforcement priorities, the factors listed are a useful insight into areas the ICO considers most serious and therefore, by extension, areas where they would be most likely to consider it appropriate to take action.

Level of damage suffered

Notably, the ICO draft guidelines set out examples of actual or potential harm to data subjects as being physical or bodily harm, physiological harm, economic or financial harm, discrimination, reputational harm or loss of human dignity; and that in carrying out the assessment of the level of damage, the ICO will take into account the fact that some harms are more readily identifiable, for example, financial loss or identity theft, whereas some others are less tangible, for example, distress and anxiety or loss of control over personal data; and where an infringement affects a large number of data subjects, it may result in a high degree of damage in aggregate and give rise to wider harm to society, even if the impact on each person affected is more limited.

Also, it is important to highlight that the ICO draft guidelines note that the level of damage suffered by data subjects will be limited to what is necessary to evaluate the seriousness of the infringement and that "Typically, it would not involve quantifying the harm, either in aggregate or suffered by specific people. It is also without prejudice to any decisions a UK court may make about awarding compensation for damage suffered."

Intentional or negligent character of the infringement

The ICO draft guidelines provide helpful examples of circumstances the ICO considers may indicate an intentional infringement, notably where senior management authorized the unlawful processing; or a controller or processor carried out the processing despite advice about the risks involved or with disregard for its existing internal policies.

Examples of relevant evidence considered by the ICO when assessing negligence include:

• Failure to adopt policies aimed at ensuring compliance with data protection law.
• Failure to read and abide by its existing data protection policies.
• Infringe U.K. GDPR or DPA 2018 through human error, particularly where the person (or people) involved had not received adequate training on data protection risks.
• Failure to check for personal data in information that is published or otherwise disclosed.
• Failure to apply technical updates in a timely manner.

Categories of personal data affected by the infringement

When assessing seriousness, the ICO draft guidelines note the following types of data likely to cause damage or distress to data subjects: location data, private communications (particularly those involving intimate details or confidential information about the data subject), passport or driving license details or financial data.

Calculation of the appropriate fine

The ICO draft guidelines set out a similar five-step approach to the EDPB guidelines, as well as similar starting amounts for fine, after considering the seriousness of the infringement. Namely, for the most serious infringements a starting point between 20-100% of the legal maximum; for offenses with a medium degree of seriousness between 10-20%; and for infringements that have a low degree of seriousness, between 0-10%. The ICO notes there is no pre-set tariff of the starting points for different types of infringement, and the approach to seriousness will take into account the nature, gravity and duration of the infringement; whether it was intentional or negligent; and the categories of personal data affected.

Next steps

The proposed guidance has been a long time coming, with previous consultations taking place over previous years and the requirement for detailed guidance in this area arguably stretching back to the introduction of the EU GDPR in 2018. In fairness, the EDPB has taken a similar amount of time to develop their own guidance which indicates how difficult it is to reach a position that provides an appropriate level of legal certainty, while allowing sufficient flexibility to adequately deal with all potential circumstances. What the proposed guidance indicates is a desire to not radically depart from the European approach without good reason.

The EDPB guidance is a well-reasoned and developed process and it is unsurprising that the ICO would adopt a process which is similar in many respects. As to the specific approach the ICO is likely to take in future enforcement action, there are, as noted above, some interesting indications of the areas that the regulator consider the most serious. Combined with the way that penalties are minimized for low level matters and smaller entities and maximized at the top end of the scale our reading would be that in future significant penalties are more likely to be reserved for the most serious breaches. That in turn means such cases will attract significant push back and legal challenge which makes following the guidance which is eventually implemented closely and accurately vitally important.

The ICO has of late been relatively quiet in pursuing significant enforcement action; one wonders whether the lack of a finalized penalty setting guidance document is a factor in that situation which will change once the guidance is finalized and adopted.