Telephone : 01908 041 464 | Email :
Quick Jump

Data Protection Fining Guidance


The UK’s Data Protection Fining Guidance provides a framework for the Information Commissioner’s Office (ICO) to impose fines for breaches of data protection laws, particularly the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The guidance outlines the factors that the ICO considers when determining the amount of fines to impose and provides transparency to businesses regarding the potential consequences of non-compliance with data protection laws.

The key provisions of this guidance include:

  • Basis for Fines: The guidance outlines the legal basis for imposing fines, including breaches of data protection principles, failure to comply with data subject rights, and failure to implement appropriate security measures.
  • Factors Considered: The guidance lists several factors that the ICO considers when determining the amount of fines, including the nature, gravity, and duration of the infringement, the number of data subjects affected, and the level of cooperation with the ICO.
  • Calculation of Fines: The guidance provides a methodology for calculating fines, including a two-tiered approach based on the severity of the infringement and the annual turnover of the business.
  • Mitigating Factors: The guidance also considers mitigating factors that may reduce the amount of fines, such as taking prompt action to mitigate the effects of the breach and cooperating with the ICO’s investigation.

The Data protection Fining Guidance was published by the ICO on December 2019 and applies to the UK.

data protection fining guidance

Does the Data Protection Fining Guidance affect my business?

There are several implications for businesses:

  • Financial Penalties: Businesses that fail to comply with data protection laws face significant financial penalties, which can be as high as €20 million or 4% of annual global turnover, whichever is higher.
  • Reputation Damage: Data breaches and fines can damage a business’s reputation, leading to loss of customer trust and potential loss of business.
  • Compliance Costs: Businesses may incur additional costs to comply with data protection laws, such as implementing new security measures and conducting data protection impact assessments.

Businesses must take data protection seriously and implement appropriate measures to protect personal data and avoid potential fines. Failure to comply with data protection laws can have significant financial and reputational consequences, making compliance a top priority for businesses of all sizes.

Do I need the Data Protection Fining Guidance in my ISO Compliance Register?

The types of businesses that may need to include this guidance in their ISO Compliance Registers are as follows:

  • Large Enterprises: Large businesses with a high volume of personal data processing are more likely to be affected by the guidance, as they face higher potential fines due to their larger turnover.
  • Small and Medium Enterprises (SMEs): SMEs are also affected by the guidance, as they are required to comply with data protection laws and may face significant fines if they fail to do so.

Legislation related to the Data Protection Fining Guidance

Legislation related to the Data Protection Fining Guidance include:

  • Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
  • Data Protection Act 2018

If your business deals with personal data in day to day activities we recommend that you include this guidance article in your ISO Compliance Register.

More information

Visit the Data Protection Fining Guidance on the website.

Create an account in the ISO Compliance Register App and add this article to your Register.