General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific
Data Protection Fines: UK Privacy Watchdog Updates Guidance
Regulator Emphasizes Upside of Transparency, Downside of Intentional InfringementAfter suffering a data breach, organizations in the United Kingdom that work closely and transparently with regulators and cybersecurity officials will be treated with greater leniency if their case results in penalties and a fine.
See Also: Expert Panel | Data Classification: The Foundation of Cybersecurity Compliance
That's what the Information Commissioner's Office said in new guidance that details the legal framework through which the ICO assess penalties and impose fines.
The goal for publishing the updated information is to "provide certainty and clarity for organizations" about how the ICO's decision-making process functions, including how - and when - any penalties and fines might be assessed, said Tim Capel, the director of legal service at the ICO.
"From a cyber perspective, there are some interesting clarifications," says a blog post by attorney Ellie Ludlam of Pinsent Masons, who specializes in cyber, privacy and technology. "For example, the guidance sets out what the ICO would consider to be negligent, which specifically includes a failure to apply updates."
The regulator said its new guidance doesn't reflect a "mechanistic" approach and its penalty assessment "involves evaluation and judgement, taking into account all the relevant circumstances of the individual case."
Relevant circumstances include the seriousness of the breach, including any negligence or intentional infringement. Besides failing to apply technical updates in a timely manner, negligent behavior can also include "failing to adopt policies aimed at ensuring compliance with data protection law," failing to understand or follow those policies, or any General Data Protection Regulation or Data Protection Act violations that result from human error, especially if anyone involved "had not received adequate training on data protection risks."
The ICO said it also assesses whether or not a data breach involves "particularly sensitive" data, which if disseminated "is likely to cause damage or distress to data subjects." Examples of such data include location data, financial data, private communications - "particularly those involving intimate details or confidential information about the data subject" - and identification documents, such as passports and driver's licenses.
The more sensitive the exposed information, the more serious the breach.
If that's the stick, here's the carrot: The regulator said that when calculating the amount of any fine to be imposed, it will take into account if the breached organization actively worked to "mitigate the damage suffered by data subjects" and cooperated with the ICO.
Other factors working in a breached organization's favor include engaging and cooperating with any other relevant body besides the ICO - such as the country's National Cyber Security Center -beyond what the law requires and following "any advice or guidance provided." The breached organization must also "demonstrate and provide evidence of the steps it has taken to follow any such advice or guidance."
Under GDPR, the ICO has the power to fine organizations that break the law up to 437.5 million pounds - $553 million - or up to 4% of their annual global revenue, whichever is greater. In its updated guidance, the ICO said that if the organization is fully or nearly fully owned by another entity, it would typically base the fine on the parent company's annual revenue.
To determine how much an organization is fined, the ICO said, it first assesses severity, according to the ICO, the most serious fines have a starting point of 20% to 100% of the maximum amount possible. The fines for medium-severity incidents start at 10% to 20%, and fines for a lower degree of seriousness range from 0% to 10%.
As the guidance "covers small businesses to multinational corporations, as well as public bodies and not-for-profit organizations," the ICO said, it also takes into account an organization's size and annual revenue when determining the amount of the fine.
The regulator said the intention is "to ensure that the amount of any fine is effective, proportionate and dissuasive."
The ICO's updated guidance follows its public consultation on the proposed changes, which it held at the end of 2023.