Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: The ICO welcomes views on its draft Data Protection Fining Guidance

On October 2, 2023, the Information Commissioner's Office (ICO) announced that its draft Data Protection Fining Guidance (Guidance) is open for consultation. In this Insight article, Luke Dixon and Josh Day, from leading national law firm Freeths LLP, provide an overview of the key features of the Guidance and what this means for organizations.  

baona / Signature collection /

What is the Guidance?  

The Guidance seeks to provide greater clarity to organizations concerning the ICO's ability to issue (and its methodology for calculating) fines resulting from breaches of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).  

The release of the Guidance marks the third time in three consecutive years that the ICO has issued a publication surrounding its enforcement powers in relation to data protection legislation in the UK, and follows the guidelines released by the European Data Protection Board (EDPB) in June 2023 concerning the calculation of administrative fines.  

The Guidance, which sets out the conditions under which the Commissioner would consider it appropriate to exercise its discretion to issue a fine, remains open for consultation until November 27, 2023. During this period, the ICO welcomes views from organizations and individuals both in a professional and private capacity.  

How is the Guidance structured? 

The Guidance comprises three sections: 

  • statutory background which provides a 'refresh' of the overarching framework surrounding the ICO's enforcement powers, including the infringements under the UK GDPR and the DPA, the maximum amount of a fine, restrictions on issuing fines, and the ICO's approach to multiple infringements; 
  • circumstances in which the ICO considers it appropriate to issue a fine, including the seriousness of the breach, any relevant factors, and the effectiveness, proportionality, and dissuasiveness of a fine; and 
  • calculation of fines which illustrates the ICO's five-step approach to calculating the amount of a fine. 

The framework surrounding the ICO's enforcement powers 

Issuing fines 

The preamble to the Guidance serves as a reminder to organizations that the ICO may impose a fine where it is satisfied that a data controller or data processor has failed to comply with the provisions of the UK GDPR or DPA relating to: 

  • the principles of processing personal data; 
  • the rights conferred on data subjects; 
  • the obligations placed on data controllers and data processors, including the requirement to communicate a personal data breach to the ICO; or 
  • the principles for transfers of personal data outside the UK. 

The ICO may also issue a fine for failure to comply with the requirements placed in relation to information notices, assessment notices, and enforcement notices, particularly where a data controller or data processor fails to: 

  • provide the ICO with information that it reasonably requires; 
  • allow the ICO to inspect or examine documents, information, or materials; or 
  • comply with a requirement set out in an enforcement notice (for example, a requirement to erase personal data).  

Maximum amount of a fine 

The ICO is subject to a statutory maximum when it decides the amount it wishes to fine an organization. Depending on the severity of the infringement, the Guidance provides for two levels of maximum fine as prescribed in the UK GDPR and DPA: 

  • the standard maximum amount of £8.7 million or, in the case of an undertaking[1], the higher of either £8.7 million or 2% of the undertaking's total worldwide annual turnover in the preceding financial year; and 
  • the higher maximum amount of £17.5 million or, in the case of an undertaking, the higher of either £17.5 million or 4% of the undertaking's total worldwide annual turnover in the preceding financial year. 

Restrictions on issuing fines 

The Guidance considers various circumstances where the ICO is either restricted from issuing fines or where the issuing of a fine is subject to additional requirements. These circumstances include: 

  • the processing of personal data for 'special' purposes: The ICO may only impose a fine in respect of a breach resulting from the processing of personal data for special purposes, in those specific circumstances set out in Section 156 of the DPA; 
  • the Houses of Parliament: The ICO may not issue a fine in relation to the processing of personal data where the purposes for the processing are determined by or on behalf of the House of Lords or the House of Commons;  
  • the Royal Household: The ICO may not issue a fine to a data controller acting on behalf of the Royal Household or the Crown Estate Commissioners; and  
  • joint data controllers for law enforcement or intelligence services processing: The ICO may only impose a fine to a data controller responsible for compliance of a provision of data protection legislation where joint data controllers process personal data for law enforcement or intelligence services.  

Multiple infringements  

The Guidance recognizes that a breach of data protection legislation will cover multiple infringements, rather than an infringement of one single provision. The ICO will therefore assess whether one or more breach relates to the same or linked data processing operations on a case-by-case basis.  

That said, where the ICO determines that a breach by the same or linked data processing operations infringes more than one provision of the UK GDPR, the total fine imposed by the ICO in relation to the breaches arising from those linked data processing operations must not exceed the statutory maximum that applies to the most serious of the individual breaches identified. 

When is it appropriate for the ICO to issue a fine? 

When determining whether or not to issue a fine, the ICO will consider: 

  • the seriousness of the breach (or breaches): The ICO will consider the factors listed in Articles 83(1) and 83(2) of the UK GDPR, particularly in relation to the nature, gravity, and duration of the breach, the intention of the breach, and the categories of personal data involved; 
  • relevant aggravating or mitigating factors: A data controller or data processor should try to mitigate a breach and the ICO will consider any steps taken when assessing the appropriateness of imposing a fine; and 
  • whether a fine would be effective, proportionate, and dissuasive: The ICO will also consider whether issuing a fine is an appropriate sanction for the breach, that it is appropriate and necessary in the circumstances, and that the fine promotes compliance with data protection legislation.  

The Guidance explains that when the ICO considers issuing a fine, it will do so on a case-by-case basis and will aim to ensure that there is a broad consistency in the approach taken. However, it will not be bound by previous decisions. This will undoubtedly give the ICO wider discretion in its decision-making.  

How does the ICO calculate fines? 

In a similar vein to the EDPB guidelines, the Guidelines explain that where the ICO has deemed it appropriate to impose a fine, it will calculate the amount of the fine by following a five-step methodology: 

  1. assess the seriousness of the infringement; 
  2. Account for turnover (where the data controller or data processor is part of an undertaking); 
  3. calculate the starting point with respect to the seriousness of the infringement; 
  4. make adjustments to consider any aggravating or mitigating factors; and 
  5. Assess whether the fine is effective, proportionate, and dissuasive. 

The Guidelines also explain that the ICO may, in its sole discretion (and in exceptional circumstances), reduce a fine where an organization is unable to pay an imposed fine due to financial hardship. In such a situation, the ICO may grant a reduction where the organization can demonstrate that their financial position merits such relief. 

Key takeaways  

Organizations should be aware that the Guidance only relates to breaches of the UK GDPR and the DPA and is not applicable to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which offer additional privacy rights in relation to electronic communications.  

While the Guidance appears to be somewhat mechanistic in nature (particularly in respect of the ICO following prescribed factors in determining a breach and implementing a step-by-step approach to calculating fines), it will undoubtedly assist organizations by providing greater clarity surrounding the situations when and how the ICO will calculate and, if appropriate, issue fines.  

It will be interesting to note any changes to the Guidance in response to comments received by organizations and individuals following the closing of the consultation process, at the end of November 2023. 

In the interim, for those organizations and individuals wishing to comment on the Guidance, the ICO has launched an online survey which can be found here

Luke Dixon Partner 
[email protected]  
Josh Day Associate  
[email protected]  
Freeths LLP, UK 

[1] While undertaking is not defined in the UK GDPR or the DPA, it is commonly understood that the ICO will consider a parent company of the data controller or data processor to form part of an undertaking, in addition to its wider group.