The Fining Guidance sets out how the ICO will take into account any relevant aggravating or mitigating factors.
Summary of responses
One respondent stated that the Fining Guidance gives the impression that the ICO will view most factors as aggravating or neutral, and that it would be difficult for organisations to demonstrate their conduct meets the standard to be considered a mitigating factor.
One respondent asked whether the ICO would consider either: (i) investment in comprehensive cyber insurance or (ii) a third party provider being the cause of the breach to be mitigating factors.
One respondent suggested that where an organisation has a previous history of compliance this should be considered to be a mitigating factor. Similarly, another respondent suggested that the data protection culture of an organisation should be included as a separate aggravating or mitigating factor.
One respondent noted that the reference in paragraph 98 of the draft Fining Guidance to evidence of a failure to adhere to an approved code of conduct or certification mechanism as being relevant to the consideration of intention or negligence conduct may result in this factor being double counted and afforded undue weight.
Another respondent suggested that the Fining Guidance should make it clear that action to mitigate the damage suffered by data controllers should still be taken into account even if steps are taken after the notification of a personal data breach.
ICO response
The ICO does not agree that the way the Fining Guidance has been drafted means that the ICO is giving the impression that most factors will be considered to be aggravating or neutral. The Fining Guidance aims to set a reasonable threshold for organisations to meet to demonstrate that a mitigating factor should apply. The ICO considers it is important to set a clear expectation that controllers will need to provide credible evidence in that regard.
For similar reasons, the ICO does not propose to add a previous history of compliance as a mitigating factor or an organisation’s data protection culture as an aggravating or mitigating factor. Compliance with the law should be a baseline expectation. However, if in a particular case there was clear evidence that an organisation had a particularly good or bad data compliance culture then it is possible this could be regarded as an aggravating or mitigating factor under Article 83(3)(k) UK GDPR.
The ICO does not consider that an organisation having comprehensive cyber insurance is sufficient to constitute a mitigating factor. However, it may provide evidence (depending on the nature of the insurance cover and the individual circumstances of the case) that the organisation had appropriate technical and organisational measures to ensure a level of security appropriate to its data protection risks, for example if the cover includes pre-incident support.
Similarly, the ICO does not consider that the fact a third party provider may also be responsible for causing the infringement is sufficient to constitute a mitigating factor. The extent of a controller or processor’s responsibility will, in any event, be assessed as part of determining whether it is liable for an infringement at all. It may also be the case that, depending on the circumstances, the third party is itself found to be a controller or processor with liability for the infringement.
In relation to the point that some factors may be double counted in the assessment of seriousness and other aggravating or mitigating factors, the ICO notes the Fining Guidance is clear that the ICO will consider the individual circumstances of each case in the round to assess whether the fine is appropriate. Further, the fact that particular evidence (eg a failure to take steps to comply with an approved code of conduct of which the controller is a member) may be relevant to more than one factor does not necessarily mean that evidence is given undue weight. The ICO will assess the weight to be given in the individual circumstances of the case and ensure that particular factors are not double counted. In the light of the comment received, the ICO has amended the Fining Guidance to note in the section on intention and negligence the potential relevance of a failure to take steps to comply with an approved code of conduct or certification scheme.
The ICO agrees with the comment that it is important to recognise action taken to mitigate damage suffered by data subjects following a personal data breach. We have clarified in the Fining Guidance that controllers are still able to benefit from this mitigating factor even if the steps taken to mitigate the damage occur after the controller has notified the personal data breach to the ICO. In that regard, we note that notification of a personal data breach does not necessarily imply that a controller or processor has infringed UK GDPR or Part 3 or Part 4 DPA 2018.