Iubenda logo
Start generating


Table of Contents

Understanding the ICO’s New Fining Guidance

A new detailed guidance from the UK’s Information Commissioner’s Office (ICO) has been published explaining the steps and criteria they will consider before imposing fines on businesses that violate data protection rules. The ICO’s new fining guidance will offer clear information and transparency on how the ICO will make decisions about penalties and how they are calculated.

Below we highlight the key findings from the guidance 👇

Key points for the ICO’s new fining guidance:

  1. Transparency and Fairness: The guidance aims to shed light on the fining process, particularly the considerations the ICO takes in imposing fines. It provides businesses with transparency and a clearer understanding of what leads to fines and penalties and how they may be able to avoid those fines through compliance.
    • Detailed Criteria: Provides specific criteria used in assessing fines, aiming for predictability in enforcement.
    • Decision-Making Process: Outlines the procedural steps taken from violation detection to the final fining decision, emphasizing the role of fair and impartial review.
    • Right to Respond: Details the opportunities businesses have to respond to allegations before fines are imposed, ensuring a fair hearing.
  2. Fining Criteria: It outlines the exact factors for calculating the fines. With the aim of making organizations fully aware of the financial consequences of noncompliance.
    • Severity and Duration: Takes into account both the severity and the duration of the breach, reflecting the extent of impact on data subjects.
    • Intentional or Negligent Breaches: Differentiates between breaches that are intentional or result from negligence, adjusting fines accordingly.
    • Mitigation Efforts: Considers whether the organization took steps to mitigate the damage, potentially reducing the fine.
  3. Maximum Fines: Confirming the potential severity of penalties, the guidance underscores that fines can escalate to as much as £17.5 million or 4% of an organization’s total worldwide annual turnover, whichever is greater. This aligns with the strict sanctions under the General Data Protection Regulation (GDPR), emphasizing the importance of adherence to data protection laws.
  4. Impact on Small and Medium-Sized Businesses (SMBs): Particularly relevant for SMBs, the guidance details a scaled approach to fines based on a company’s turnover. For businesses with a turnover of less than £2 million, such as micro enterprises, even minor infractions could result in fines up to £3,480. This tiered fining structure aims to balance the enforcement of data protection laws with the financial realities faced by smaller businesses, ensuring penalties are substantial yet fair.

How are the fines determined? 

The ICO now uses five steps to determine penalties:

  1. Evaluating the severity of the violation;
  2. Considering the financial turnover if the entity responsible is part of a larger business;
  3. Setting a preliminary fine based on the violation’s severity and, if applicable, the business’s turnover;
  4. Modifying the initial fine amount to reflect any exacerbating or alleviating factors; and
  5. Ensuring the penalty is substantial, fair, and serves as a deterrent.

The new guideline is a testimony to ICO’s efforts to enforce data protection laws stringently and calls on businesses to place importance on personal data security and privacy. For businesses, especially those under the SMB category, grasping the nuances of the guidelines can help massively when navigating the intricacies of compliance and avoiding fines.

Boost your compliance with the UK GDPR and key privacy regulations worldwide with iubenda’s comprehensive tools.

Start now