Hunton Andrews Kurth writes:
On March 18, 2024, the UK Information Commissioner’s Office (“ICO”) published new data protection fining guidance on how the ICO determines penalties and calculates fines. The guidance was subject to a consultation process in 2023, and covers a variety of topics and considerations relevant to penalties and fines, including:
- The ICO’s approach to fines where there has been more than one infringement by a controller or processor. In this respect, when the ICO finds that the “same or linked processing operations” infringe on more than one provision of the UK General Data Protection Regulation, the overall fine imposed must not exceed the maximum statutory amount that applies to the most serious of the individual infringements identified.
- The circumstances in which the ICO would consider it appropriate to issue a penalty notice. In carrying out its assessment, the ICO will consider: (1) the seriousness of the infringement, taking into account its nature, gravity and duration, whether it was intentional or caused by negligence, and the categories of personal data affected; (2) any relevant aggravating or mitigating factors, such as any action taken to mitigate the damage suffered by the relevant data subjects, any previous infringements, and the degree of cooperation with the ICO; and (3) whether imposing a fine would be effective, proportionate and dissuasive.
Read more at Privacy & Information Security Law Blog.