What’s this all about?
The UK data protection regulator the Information Commissioner’s Office (“the ICO”) recently started a consultation concerning new draft guidance about fines (“the draft Guidance”), which this article looks at in brief.
What’s in the draft Guidance in a nutshell?
The ICO is consulting on new draft guidance about how it decides issuing penalty notices and calculating fines under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The draft Guidance is not applicable to fines under the Privacy and Electronic Communications Regulations 2003. The draft Guidance sets out the following:
- The legal framework that gives the ICO the power to impose fines;
- The circumstances in which the ICO would consider it appropriate to issue a penalty notice; and,
- How the ICO calculates the appropriate amount of the fine.
What about the ICO’s Regulatory Action Policy?
When it is finalized the draft Guidance will replace the parts of the ICO’s Regulatory Action Policy that explains its current approach to imposing and calculating fines. According to the ICO, the following statutory guidance in the Regulatory Action Policy relating to fines will remain in place:
- When the ICO will allow oral representations following a so-called “Notice of Intent” to issue a penalty notice;
- How the ICO will proceed if a fine is not paid; and
- The guidance on fixed fines for failure to pay the data protection fee.
How can the consultation be responded to?
The ICO is seeking views on the draft Guidance which must be responded to by 27 November 2023; the ICO may not consider responses submitted after this deadline.
The consultation can be responded to in the following ways.
- Either, by responding to the question in its online survey, available through this link here: https://www.smartsurvey.co.uk/s/04TIS4/;
- Or, by downloading the consultation questions in a Word document and either emailing them to dpfiningguidance@ico.org.uk (as a Word document or text-searchable PDF) or by print the response and posting it to: DP Fining Guidance Team (Legal Service), Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
According to the ICO, not every question needs to be answered. The ICO is also requesting to be provided with supporting evidence for views where appropriate. Further, the ICO is asking that those responding state whether they are responding on behalf of an organization (making it clear who is being represented and, where applicable, how the views of the members of the organization were obtained), or in a professional capacity, or as a private individual.
Resources
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The ICO consultation can be found here: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-on-draft-data-protection-fining-guidance/. If there are any questions about the consultation they can be sent by email here: dpfiningguidance@ico.org.uk. The draft guidance itself can be found here: https://ico.org.uk/about-the-ico/what-we-do/draft-data-protection-fining-guidance/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 347 2365 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |