Ahead of the introduction of the General Data Protection Regulations (GDPR) in May 2018, guidance has been given about the application and setting of fines.
This guidance will determine how the Information Commissioner’s Office (ICO), the UK’s independent authority with responsibility for data protection, decide what level of fine to impose for a data breach.
The guidance is based on three key principles to help assess the appropriateness of a fine, discussed below, and ten criteria to help evaluate the size of the fine, which we will consider in future articles.
Appropriateness of fines
Once an infringement of the GDPR has been confirmed, the ICO must decide the most appropriate corrective measures to address the infringement, which might include issuing a fine. When using its powers, the ICO must observe the following principles:
Infringement of the GDPR should lead to the imposition of “equivalent sanctions”.
This means that the level of fines should be equivalent in all EU Member States, to ensure the fair application of GDPR. In practice, this may result in the ICO imposing fines that are high because it will have to take into consideration fines that have been imposed in other countries in the EU.
Fines should be “effective, proportionate and dissuasive”.
This means that fines should be an adequate response to the nature, gravity and consequences of the breach. A fine must also reflect its required outcome: for example, is an organisation being fined as punishment or are they expected to re-establish compliance with the rules – or both?
The ICO must make an assessment “in each individual case”.
The GDPR requires assessment of each case individually and fines are an important tool that the ICO should use in appropriate circumstances. The point is to not qualify the fines as last resort, nor to shy away from issuing fines, but on the other hand not to use them in such a way which would devalue their effectiveness as a tool.
How large will a fine be?
We’ll look at the criteria the ICO will use in our next article.