This final of three articles continues from our previous pieces looking at the criteria the ICO will consider when deciding whether to impose a fine under GDPR, and how large that fine might be. Last time, we looked at the first four of the ten criteria* GDPR includes so now we turn to the others.
The assessment criteria for imposing fines are:
5. Any relevant previous breaches
To establish the ‘track record’ of the organisation committing the breach, the ICO can consider any previous breaches, even if different in nature to the type of breach being investigated now. It could indicate a general level of insufficient knowledge, or disregard for the data protection rules.
The ICO will assess:
Has the organisation committed the same breach earlier?
Has the organisation committed a breach in the same manner? (for example, because of insufficient knowledge of existing routines, or inappropriate risk assessment, as the result of unjustified delay in responding to requests and so on).
6. The degree of cooperation with the ICO or actions taken to mitigate the breach
A cooperative organisation is likely to be looked on more generously than an organisation who is not. Where action by the organisation has prevented or limited negative consequences for those affected, this could also be considered.
7. The categories of the personal data affected by the breach
The ICO will be considering factors such as:
Does the breach concern processing of special categories of data?
Is the data directly identifiable/ indirectly identifiable?
Does the processing involve data whose dissemination would cause immediate damage/distress to the individual?
Is the data directly available without technical protections, or is it encrypted?
8. The way the breach became known to the ICO
In other words, did the organisation report the breach quickly and fully or did the ICO become aware of breach because of an investigation, complaints, articles in the press or anonymous tips?
Organisations have an obligation under the GDPR to notify the ICO about personal data breaches so ‘fessing up’ is not viewed as a mitigating factor. However, not reporting a breach – or not disclosing the extent of it – is likely to ensure the ICO view it more seriously than they may otherwise have done.
9. Adherence to approved codes of conduct
Where an organisation has adhered to an approved code of conduct, for example that of a professional body or membership organisation, this may be taken into account by the ICO.
For example, if the professional body takes action against the organisation who committed the breach, the ICO may be satisfied with this as appropriate sanction. However, the ICO is under no obligation to consider other sanctions and may still impose its own.
10. Any other factors
This might include any aggravating or mitigating factors applicable to the particular breach, such as financial benefits gained, or losses avoided, directly or indirectly.
Information about profit obtained as a result of a breach may be particularly important. If an organisation has profited from the breach, this may be a strong indication that a fine should be imposed.
For more advice on how GDPR will be applied, please contact us.
*If you want to read the details, the GDPR (Article 83 (2)) provides a list of criteria the ICO is expected to use in the assessment both of whether a fine should be imposed and of the amount of the fine.