Handley Gill
LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

It’s a fine life

Given that the Information Commissioner has issued just 2 monetary penalty notices for breaches of the GDPR, UK GDPR or Data Protection Act 2018 (as opposed to the Privacy and Electronic Communications Regulations 2003) in 2023, and its most recent monetary penalty notice in 2022 has been overturned, one might be forgiven for thinking that the ICO’s consultation on revising elements of its 2018 Regulatory Action Policy relating to when the issue of a penalty notice is appropriate and its approach to calculating any fine is leading us all on a merry dance.

Nevertheless, the Information Commissioner consulted on its draft Data Protection Fining Guidance between 02 October and 27 November 2023.

Handley Gill Limited submitted its response to the Information Commissioner’s draft Data Protection Fining Guidance consultation.

In our response we:

  • raised concern regarding the potential retrospective impact of the guidance;

  • implored the Information Commissioner to take into account the public interest in processing activities as well as potential harm;

  • identified a number of instances where too low a threshold of what constitutes harm was proposed to be relied upon;

  • argued that the Information Commissioner’s proposed approach to the assessment of the seriousness of an infringement could result in undue weight being placed on certain considerations due to duplication;

  • rejected attempts to categorise human error as providing sufficient evidence of negligence;

  • called for co-operation with the police to be recognised as a relevant mitigating factor;

  • sought the reflection within the guidance of the Information Commissioner’s position that the payment of a ransom will not constitute relevant mitigation; 

  • welcomed the Information Commissioner’s recognition that a failure to enforce data protection law has anti-competitive consequences and a dissuasive impact on compliance; and,

  • cautioned against an approach to penalties which suggests that in many cases where a fine was initially considered appropriate, the nature of fine and size of business could result in no fine even in the absence of any mitigation.

You can read our response to the Information Commissioner’s consultation on the draft Data Protection Fining Guidance.

If your organisation has suffered a data breach or is threatened with a finding of unlawful processing and requires advice and representation in connection with potential or actual regulatory enforcement action by the Information Commissioner, contact us.

Nicola CainData Protection, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DPA 2018, DATA PROTECTION ACT 2018, Data enforcement, Penalty Notice, Monetary Penalty Notice, MPN, Administrative fine, Regulatory Action Policy, Regulatory Enforcement, Article 83 UK GDPR, Section 155 Data Protection Act 2018, S.155 DP 2018, Consultation Response, Data Protection Fining Guidance, Information Commissioner, Information Commissioner's Office, ICO, Undertaking, Data Protection Harms, ICO Taxonomy of Data Protection Harms, ConsultationComment