Following our recent article about the principles that will be considered when deciding whether to apply a fine for a GDPR infringement, this time we’re starting to look at the criteria that will be used to decide how large that fine might be.
There are ten assessment criteria* the ICO will need to reflect on: this article looks at criteria 1 to 4 and our next piece will consider the remaining points.
The criteria were developed to ensure that all the circumstances of each individual case are considered if a fine is to be imposed. It’s useful to note that the imposition of a fine does not rely on the ICO’s ability to prove that a data breach caused material loss; the breach or infringement in itself could be enough to warrant a fine.
Assessment criteria for imposing fines
1. The gravity and duration of a breach
The seriousness or gravity of the breach will be assessed by considering:
- The number of people involved
- The purpose of the processing
- The level of loss or harm people have suffered (if any)
- The duration of the breach
The duration of the infringement means just that: how long the activity went on for. Duration is considered because it may indicate wilful conduct on the organisation’s part, or a failure to take appropriate preventive measures.
2. The intentional or negligent character of the breach
In general, “intent” includes both knowledge and wilfulness in relation to an offence, whereas “unintentional” means that there was no intention to cause the breach.
Intentional breaches will be punished more severe than unintentional ones and therefore are more likely to attract a fine.
Breaches that could be considered intentional might include:
- Unlawful processing authorised explicitly by top management or in disregard for existing policies
- Amending personal data to give a misleading (positive) impression, e.g. about whether targets have been met
- The trade of personal data for marketing purpose i.e. selling data as ‘opted in’ without checking/disregarding peoples’ views about how their data should be used
Breaches that may be considered negligent might include;
- failure to read and abide by existing policies, or to adopt appropriate new policies
- human error
- failure to check for personal data in information published or
- failure to apply technical updates in a timely manner.
It’s worth noting here that a shortage of resources will not be an acceptable reason for explaining a breach.
3. Any action taken by an organisation to mitigate loss or harm
When a breach occurs, and someone has suffered damage, the organisation responsible should do whatever they can do to reduce the consequences of the breach for those concerned. Such responsible behaviour (or the lack of it) will be taken into account by the ICO.
4. The degree of responsibility of the organisation
The GDPR has introduced a far greater level of accountability in comparison with the Data Protection Act 1998. This degree of responsibility will be assessed by asking
- Has the organisation implemented technical and organisational measures that follow the principles of data protection by design or by default at all levels of the organisation?
- Has the organisation implemented an appropriate level of security?
- Are the relevant data protection policies known and applied at the appropriate level of management in the organisation?
There are 6 further criteria the ICO must consider; we will look at these in a future article.
*The GDPR (Article 83 (2)) provides a list of criteria the ICO is expected to use in the assessment both of whether a fine should be imposed and of the amount of the fine.