The new fining guidance: Understanding the ICO's approach to calculating GDPR fines

Overview

The Information Commissioner’s Office (ICO) has the authority to issue penalties for the infringements of UK GDPR as well as for the failure to comply with its information, assessment notice or enforcement notices. The ICO has published new data protection fining guidance, outlining how it issues these penalties and calculates fines. 

How does the ICO determine a UK GDPR fine?

  • The ICO evaluates penalties and fines on a case-by-case basis, considering whether alternative corrective measures are more applicable. The key factor is the nature, gravity and duration of the infringement. For example, high-risk processing involving new or innovative technologies such as automated decision-making or the use of biometric or genetic data may result in larger penalties.
Article 83(1) and (2) UK GDPR identifies the additional key factors: 
  • the intentional or negligent character of the infringement
  • categories of personal data affected by the infringement (for instance, certain categories of personal data – such as special category data and criminal records as well as personal data falling within the definitions of ‘sensitive processing’ in Part 3 and Part 4 DPA 2018 – require special protection)
  • mitigating actions taken by the controller or processor
  • any technical and organisational measures implemented by the controller or processor;
  • any past infringements
  • cooperation with the ICO
  • how the ICO was notified of the infringement
  • compliance with previous measures
  • adherence to codes of conduct or approved certification mechanisms
  • any other aggravating or mitigating factors that relates to the case
In view of this, when calculating the amount for a penalty notice, the ICO follows these steps to make sure the fine is effective, proportionate, and dissuasive:
  • STEP 1: The ICO assesses the seriousness of the infringement. A starting point for the fine is then determined as a percentage of the relevant statutory maximum;
  • STEP 2: The turnover of an organisation (where applicable) is taken into consideration. If the controller or processor does not have turnover, the ICO considers other indicators of its financial position, such as assets, funding, or administrative budget;
  • STEP 3: Based on the outcome of the above steps, the ICO will calculate the starting point of a fine;
  • STEP 4: The ICO will consider any relevant aggravating or mitigating factors. This may lead to the increase or decrease of the fine; and
  • STEP 5: The ICO assesses the circumstances of the case again to make sure it is in line with the need for effectiveness, proportionality and dissuasiveness. Where necessary, an adjustment to the fine is made. 
In rare circumstances, the ICO may reduce a fine if an organisation is unable to pay due to financial hardship. Objective evidence must be provided, demonstrating that imposing the proposed fine would severely harm an organisation’s economic viability. 

How does the ICO calculate the maximum amount of a UK GDPR fine?

The maximum fine for an infringement is subject to statutory limits under the UK GDPR. There are two levels of maximum fines – the ‘standard maximum amount’ and the ‘higher maximum amount’. Where a controller or a processor has committed multiple infringements, the overall fine issued must not be more than the maximum statutory amount of the most serious individual infringement identified. When making the decision, the ICO also considers the controller’s or processor’s conduct. 

The ‘standard maximum amount’ is £8.7 million. If the controller or processor is an ‘undertaking’*, the fine is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.

The ‘higher maximum amount’ is £17.5 million. If the controller or processor is an ‘undertaking’, the fine is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.
 
*The term ‘undertaking’ refers to any entity engaged in economic activity, including public authorities, state-controlled enterprises, and charities. It also includes multiple legal or natural persons forming a ‘single economic unit’. Whether a controller or processor is part of a wider undertaking depends on their autonomy, or whether another legal or natural person exercises control over them. The ICO considers all relevant economic, organisational, and legal links between subsidiaries and parent companies to determine this.   
 

What does this mean for you?

The ICO’s fining guidance provides much-needed clarity on the regulator’s fining powers and methodology for calculating fines. This guidance can also be used proactively in better assessing and prioritising data protection compliance risks against the factors which the ICO takes into account when issuing a penalty notice. 

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.

Related insights