ICO Clarifies How Fines Are Calculated For Breaches Of Data Protection Legislation

ICO Published Fining Guidance

The Information Commissioner’s Office (ICO) has published new fining guidance. The guidance clarifies a number of points including the methodology used by the ICO to calculate fines.

Section 155 of the Data Protection Act 2018 (DPA 2018) and Article 83 of the UK GDPR gives the ICO power to impose fines for infringements of the UK GDPR and DPA 2018. The ICO can also impose fines if an organisation has failed to comply with an information notice, assessment notice, or enforcement notice.

The new guidance published by the ICO confirms that when they decide to issue a penalty notice, the fine amount will be calculated using the following five-step process:

Step 1 – Assessment of the seriousness of the infringement

The ICO will first set a starting point for the fine based on the seriousness of the infringement. For infringements with a high degree of seriousness, the ICO will set a starting point of between 20 – 100% of the legal maximum. For infringements with a medium degree of seriousness, a starting point of between 10 – 20%, and for infringements with a lower degree, a starting point of between 0 – 10%.

Therefore, as a general rule, the more serious the infringement is, the higher the chosen starting point will be. The ICO will decide on a case-by-case basis how serious an infringement is. When making their decision, they will consider the following:

  1. The nature, gravity, and duration of the infringement;
  2. Whether it was intentional or negligent; and
  3. The categories of personal data affected.

Step 2 – Accounting for turnover (where the controller or processor is part of an undertaking)

The UK GDPR and DPA 2018 set out the statutory maximum fines that can be imposed by the ICO. It provides for two levels of maximum fine depending on the statutory provision that has been infringed. These are referred to as the “standard maximum amount” and the “higher maximum amount”. The standard maximum amount is £8.7 million and the higher maximum amount is £17.5 million. Where the controller or processor is a subsidiary of a parent company, the maximum amount is the amount stated above or a percentage of the group’s annual turnover, whichever is higher.

As part of this step, the ICO will determine the group’s total worldwide annual turnover in its previous financial year. They will then consider whether to adjust the starting point (step 1 above) to reflect the size of the group.

Where a controller or processor is not part of a group, the ICO may instead have regard to other indicators such as its financial position, assets, funding, or administrative budget. They can then decide to adjust the starting point accordingly.

Step 3 – Calculation of the starting point

The ICO will then come to a figure with reference to Steps 1 and 2 above. There are some tables within the guidance that set out the ranges of fines up to the standard maximum amount and higher maximum amount with reference to the degree of seriousness and turnover.

Step 4 – Aggravating and mitigating factors

The ICO will then take into account whether there are any aggravating and mitigating factors that should increase or reduce the figure identified at Step 3. These include (but are not limited to):

  1. The action taken by the data controller or processor to mitigate the damage suffered by data subjects;
  2. Previous infringements by the controller or processor;
  3. The degree of cooperation with the ICO; and
  4. Whether or not the ICO was notified of the infringement.

Step 5 – Adjustment to ensure the fine is effective, proportionate, and dissuasive

At this step, the ICO will consider the circumstances of the case and assess whether the amount reached at the end of Step 4 is appropriate.


The guidance provides organisations with greater transparency as to the way the ICO calculates fines for infringements. Tim Capel, ICO Director of Legal Service said the following about the guidance:

We believe the guidance will provide certainty and clarity for organisations.

It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or Data Protection Act 2018.”

How can Nelsons helpICO Published Fining Guidance

Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.

If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

  • Email us

Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us