United Kingdom — Enforcement & Penalties

The Information Commissioner's Office (ICO) is the United Kingdom's supervisory authority for data protection under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The ICO's power to impose administrative fines for violations of UK GDPR is established by Article 83 UK GDPR and exercisable only by giving a penalty notice under DPA 2018 section 155, as provided in section 115(9).

Two-tier maximum fine structure

Article 83 UK GDPR establishes two levels of maximum administrative fines, commonly referred to as the "standard maximum amount" and the "higher maximum amount." The maximum fine in each case depends on whether the controller or processor is an "undertaking" (a concept that encompasses the entire economic entity, not just the individual legal person that committed the breach).

Standard maximum amount (Article 83(4) UK GDPR): £8,700,000 or, in the case of an undertaking, 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. This tier applies to infringements of controllers' and processors' obligations under Articles 8, 11, and 25–39 UK GDPR (including data protection by design and default, security measures, data protection impact assessments, and DPO designation), certification-body obligations under Articles 42–43, and monitoring-body obligations under Article 41(4).

Higher maximum amount (Article 83(5) UK GDPR): £17,500,000 or, in the case of an undertaking, 4% of total worldwide annual turnover in the preceding financial year, whichever is higher. This tier applies to infringements of the core processing principles and lawful-basis requirements under Articles 5, 6, 7, and 9; data-subject rights under Articles 12–22; international-transfer requirements under Articles 44–49; obligations under Part 5 or 6 of Schedule 2 to DPA 2018; and non-compliance with a Commissioner's order under Article 58(2) or failure to provide access under Article 58(1). Non-compliance with a Commissioner's order also triggers the higher maximum under Article 83(6).

Article 83(3) cap for linked infringements

Where a controller or processor intentionally or negligently infringes several provisions of UK GDPR in the same or linked processing operations, the total administrative fine must not exceed the maximum specified for the gravest infringement. The ICO may impose a separate fine for each individual breach arising from the same or linked processing operations, provided the combined total does not exceed the applicable statutory maximum for the most serious violation.

Article 83(2) factors

Article 83(2) UK GDPR requires the ICO to give due regard to eleven enumerated factors when deciding whether to impose a fine and its amount, including: the nature, gravity, and duration of the infringement; the number of data subjects affected and level of damage suffered; the intentional or negligent character of the breach; any action taken to mitigate damage; the degree of responsibility taking into account technical and organizational measures implemented under Articles 25 and 32; any relevant previous infringements; the degree of cooperation with the Commissioner to remedy the breach; the categories of personal data affected; how the infringement became known to the Commissioner; compliance with previous enforcement measures; adherence to approved codes of conduct or certification mechanisms; and any other aggravating or mitigating factors, including financial benefits gained or losses avoided.

Effective, proportionate, and dissuasive requirement

Article 83(1) UK GDPR mandates that the Commissioner ensure administrative fines are "effective, proportionate and dissuasive" in each individual case. This principle guides both the decision to impose a fine and the calculation of its amount. In March 2024, the ICO published comprehensive Data Protection Fining Guidance setting out the ICO's methodology for calculating fines and applying the Article 83(2) factors.

The UK statutory framework mirrors the EU GDPR administrative-fine regime under Regulation (EU) 2016/679, with two principal divergences: the sterling-denominated caps (£8.7 million and £17.5 million, respectively) replace the euro amounts (€10 million and €20 million), and references to "the supervisory authority" are replaced with "the Commissioner." The substantive Article 83(2) factors and the effective-proportionate-dissuasive standard remain identical.

Source: Article 83, Regulation (EU) 2016/679 (UK GDPR) Source: Data Protection Act 2018, section 115 Source: Data Protection Act 2018, section 155–157

The Information Commissioner's Office (ICO) possesses a comprehensive suite of enforcement powers beyond administrative fines under Article 58 UK GDPR, which establishes three categories of authority: investigative powers (Article 58(1)), corrective powers (Article 58(2)), and authorisation and advisory powers (Article 58(3)). The Data Protection Act 2018 (DPA 2018) sections 115 and 143–154 impose procedural safeguards that dictate how the Commissioner must exercise these powers in practice.

Investigative powers — Article 58(1) UK GDPR

Article 58(1) UK GDPR grants the Commissioner six investigative powers: (a) to order controllers and processors to provide information the Commissioner requires for performance of its tasks; (b) to carry out investigations in the form of data protection audits; (c) to review certifications issued under Article 42(7); (d) to notify a controller or processor of an alleged infringement; (e) to obtain access to all personal data and information necessary for the Commissioner's tasks; and (f) to obtain access to premises, including data processing equipment and means.

Under DPA 2018 section 115(5), the Commissioner may exercise the Article 58(1)(a) information-gathering power only by issuing an information notice under section 142. Section 115(6) provides that data protection audits under Article 58(1)(b) are exercisable only in accordance with section 146, which requires prior written notice and sets out a consent-based framework (compulsory audits require an assessment notice under section 146(3) and Schedule 15). The Article 58(1)(e) and (f) powers to obtain access to personal data and premises are exercisable only in accordance with Schedule 15 (by warrant under section 154) or in conjunction with an audit under section 146, per section 115(7).

Corrective powers — Article 58(2) UK GDPR

Article 58(2) UK GDPR enumerates ten corrective powers the Commissioner may deploy where a controller or processor has infringed or will infringe the UK GDPR:

(a) issue warnings where processing operations are likely to infringe UK GDPR provisions; (b) issue reprimands where processing operations have infringed UK GDPR provisions; (c) order compliance with data-subject requests to exercise rights under Articles 12–22; (d) order rectification, erasure, or restriction of processing and notification of such actions to recipients under Articles 16, 17, 18, and 19; (e) impose temporary or definitive limitations, including a ban, on processing; (f) order rectification or erasure of personal data or restriction of processing under Articles 16, 17, and 18, and notification to recipients under Article 19; (g) withdraw certifications or order certification bodies not to issue certifications under Articles 42 and 43; (h) impose administrative fines under Article 83; (i) order suspension of data flows to recipients in third countries or international organisations.

DPA 2018 section 115(8) provides that the Commissioner may exercise the corrective powers under Article 58(2)(c) to (g) and (j) — including orders to comply with data-subject rights, rectification/erasure orders, processing limitations and bans, and suspension of international data flows — only by issuing an enforcement notice under section 149. Section 149(1) authorises enforcement notices where the Commissioner is satisfied that a person has failed or is failing to comply with UK GDPR provisions, monitoring-body obligations under Article 41, certification-provider obligations, or other data protection legislation enumerated in section 149(2). Section 115(9) specifies that the administrative-fine power under Article 58(2)(i) (listed as (h) in the corrective-powers enumeration above due to a drafting divergence) is exercisable only by issuing a penalty notice under section 155, which in turn triggers the Article 83 fine framework and the two-tier caps.

Authorisation and advisory powers — Article 58(3) UK GDPR

Article 58(3) UK GDPR grants the Commissioner eleven authorisation and advisory powers, including powers to advise controllers on processing operations, issue opinions to Parliament and the public, authorise contractual clauses for international transfers, approve binding corporate rules, and maintain public registers of compliance violations and transfer mechanisms. Section 115(10) DPA 2018 clarifies that section 115's procedural safeguards do not limit other functions conferred on the Commissioner by the UK GDPR, DPA 2018, or other legislation.

The enforcement-notice mechanism under DPA 2018 section 149 is the operational vehicle for the most intrusive corrective measures: orders to stop processing, orders to delete datasets, and international-transfer suspension orders. Section 149(6) requires an enforcement notice to impose only requirements the Commissioner considers "appropriate for the purpose of remedying the failure," and section 150 grants the Commissioner discretion to cancel or vary enforcement notices. A person subject to an enforcement notice may appeal to the First-tier Tribunal under section 162 DPA 2018.

Article 58 UK GDPR mirrors the EU GDPR corrective-powers framework under Regulation (EU) 2016/679, with UK-specific procedural overlays. The principal UK divergences are the domestic notice regime (information notices, assessment notices, enforcement notices, and penalty notices replace the generic supervisory-authority "orders" contemplated in the EU text) and the removal of cross-border cooperation and consistency-mechanism provisions that applied when the UK participated in the European Data Protection Board.

Source: Article 58, UK GDPR Source: Data Protection Act 2018, section 115 Source: Data Protection Act 2018, sections 149–155

Data subjects in the United Kingdom hold a direct statutory right to seek compensation from controllers and processors for breaches of the UK General Data Protection Regulation (UK GDPR). This private right of action operates independently of administrative enforcement by the Information Commissioner's Office (ICO) and permits individuals to bring civil proceedings in court without first exhausting administrative remedies.

Article 82 UK GDPR statutory framework

Article 82(1) UK GDPR provides that "any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered." The statute imposes two distinct requirements: (i) proof of an infringement of UK GDPR and (ii) proof of damage caused by that infringement. Controllers are liable for damage caused by processing that infringes UK GDPR; processors are liable only where they have failed to comply with obligations specifically directed to processors or have acted outside or contrary to lawful controller instructions (Article 82(2) UK GDPR). A controller or processor is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage (Article 82(3) UK GDPR).

"Non-material damage" includes distress — DPA 2018 section 168

The Data Protection Act 2018 (DPA 2018) clarifies that "non-material damage" for the purposes of Article 82 UK GDPR includes distress (section 168(1) DPA 2018). This statutory definition confirms that claimants may recover compensation for emotional harm, anxiety, or upset resulting from unlawful processing, in addition to material losses such as financial detriment. The inclusion of distress as compensable damage mirrors the position under the predecessor Data Protection Act 1998 section 13(2), though the UK GDPR regime does not require proof of pecuniary loss as a precondition to distress-based claims.

Lloyd v Google and the damage requirement

The Supreme Court's November 2021 decision in Lloyd v Google LLC [2021] UKSC 50 established that compensation under UK data-protection law is not available for a bare infringement of statutory duties without proof of actual damage. Although the case was decided under the Data Protection Act 1998, the Court's analysis is highly persuasive for Article 82 UK GDPR claims. The claimant had sought to bring a representative action (opt-out class action) on behalf of approximately four million iPhone users whose browsing activity Google allegedly tracked without consent via the "Safari Workaround" between 2011 and 2012. The claimant argued that "loss of control" of personal data constituted compensable damage without the need to prove individualised material loss or distress.

The Supreme Court unanimously rejected this argument, holding that the statutory right to compensation requires proof of two distinct elements: (i) a contravention of the applicable data-protection legislation and (ii) damage caused by that contravention. The Court concluded that interpreting "damage" to encompass the mere fact of unlawful processing would collapse these two requirements into one and render the statutory language requiring damage superfluous. Lord Leggatt, writing for the Court, stated that section 13 of the 1998 Act "cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act." The Court emphasised that while loss of control may feature as part of a claimant's case—particularly where it leads to further harm such as distress, financial loss, or misuse of data—it does not, standing alone, constitute compensable damage.

The Supreme Court expressly declined to decide whether the same interpretation applies to Article 82 UK GDPR, noting differences in statutory language (in particular, Recital 146 to the EU GDPR, which mentions "loss of control" as an example of damage, though recitals do not form part of UK retained law post-Brexit with the same weight). However, the Court's core holding—that proof of damage distinct from and caused by the infringement is required—remains highly influential. Practitioners should anticipate that UK courts will require claimants to demonstrate actual harm (whether material loss or distress) and not merely the fact of a technical breach.

Representative actions and collective redress — DPA 2018 section 187

DPA 2018 section 187 enables representative bodies to bring compensation claims under Article 82 UK GDPR on behalf of data subjects. Article 80(1) UK GDPR (as modified by Schedule 6 to DPA 2018) permits a data subject to authorise a qualifying body or organisation to exercise the data subject's rights under Articles 77, 78, and 79 (complaint to the ICO, judicial remedy against the ICO, and judicial remedy against a controller or processor). Section 187(1)(b) DPA 2018 extends this to Article 82 compensation claims: a data subject may authorise such a body to exercise the right to compensation on the data subject's behalf. A qualifying body must (i) be constituted on a not-for-profit basis and (ii) have objectives that are in the public interest and relate to the protection of data subjects' rights (section 187(3)–(4) DPA 2018).

Lloyd v Google held that representative actions under CPR 19.6 (the English procedural rule permitting one or more persons to sue as representatives of others with "the same interest") are viable for data-protection claims only where all represented persons have the same interest in the relief sought. The Supreme Court confirmed that representative actions may be suitable for (i) declaratory relief establishing a defendant's liability or (ii) damages calculated on a uniform per-capita basis common to all class members. However, where compensation requires individualised assessment of harm—because distress or financial loss varies from person to person—a representative action is not procedurally permissible. The Court suggested a bifurcated approach: a representative claim to establish liability, followed by individual or coordinated claims for damages assessed on a case-by-case basis. DPA 2018 section 188 grants the Lord Chancellor power to make regulations governing representative-body proceedings, including provision for assessment of compensation, settlement, and costs, though no such regulations have been enacted as of June 2026.

Jurisdiction and venue

Proceedings under Article 82 UK GDPR are brought in the High Court, the county court (in England and Wales), the High Court or county court (in Northern Ireland), or the Court of Session (in Scotland), per DPA 2018 section 180(1)(e) and (2)(e). For processing to which Part 4 of DPA 2018 applies (law enforcement processing), jurisdiction is confined to the High Court or Court of Session (section 180(3)). Controllers and processors established outside the United Kingdom may be served with proceedings subject to the court's permission under the Civil Procedure Rules governing service out of the jurisdiction.

Joint and several liability — Article 82(4)–(5) UK GDPR

Where multiple controllers or processors are involved in the same processing and are responsible for damage, each is liable for the entire damage to ensure effective compensation to the data subject (Article 82(4) UK GDPR). A controller or processor that has paid full compensation may claim contribution from other controllers or processors involved in the same processing, in proportion to their respective responsibility for the damage (Article 82(5) UK GDPR). This joint-and-several regime mirrors tort principles in English law and prevents data subjects from bearing the risk of an insolvent defendant.

Source: Article 82, UK GDPR Source: Data Protection Act 2018, section 168 Source: Data Protection Act 2018, section 187

The Data Protection Act 2018 (DPA 2018) creates a suite of criminal offences for certain deliberate breaches of data-protection law, marking a significant UK-specific overlay on the administrative-enforcement regime under the UK General Data Protection Regulation (UK GDPR). These criminal provisions operate independently of the Information Commissioner's Office's civil enforcement powers and are prosecuted by the Crown Prosecution Service (in England and Wales) or the relevant prosecuting authority in Scotland or Northern Ireland, not by the ICO alone.

Unlawful obtaining, disclosing, procuring, or retaining personal data — Section 170 DPA 2018

Section 170(1) DPA 2018 establishes the primary data-protection criminal offence. It is an offence for a person knowingly or recklessly:

(a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

This offence targets insider threats, external hackers who exfiltrate data, individuals who sell or trade personal data without authorisation, and former employees who retain datasets after leaving an organisation. The mental element—"knowingly or recklessly"—requires proof that the person either knew the conduct was unauthorised or was reckless as to whether consent existed. Mere negligence is insufficient for a section 170 conviction.

Section 170(2) DPA 2018 provides three statutory defences. It is a defence to prove that the obtaining, disclosing, procuring, or retaining:

(a) was necessary for the purposes of preventing, investigating, or detecting crime (as amended by the Data (Use and Access) Act 2025, adding "investigating" to the existing defence for preventing or detecting crime, effective 5 February 2026); (b) was required or authorised by an enactment, by a rule of law, or by the order of a court or tribunal; or (c) in the particular circumstances, was justified as being in the public interest.

Section 170(3) DPA 2018 provides two additional defences tied to reasonable belief: the person acted in the reasonable belief that (i) the person had a legal right to do the act, or (ii) the person would have had the consent of the controller if the controller had known about the act and the circumstances of it. The burden of proving a defence under subsections (2) or (3) rests on the defendant on the balance of probabilities.

Section 170(4) DPA 2018 criminalises selling personal data obtained in the commission of a section 170(1) offence. A person commits an offence if the person offers to sell personal data and the person has obtained the data in circumstances in which an offence under subsection (1) was committed, or subsequently obtains the data in such circumstances. For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale is an offer to sell the data (section 170(6) DPA 2018).

Re-identification of de-identified personal data — Section 171 DPA 2018

Section 171(1) DPA 2018 creates a distinct offence for re-identification of de-identified data. It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. Section 171(2) DPA 2018 defines the core concepts: personal data is "de-identified" if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject; a person "re-identifies" information if the person takes steps which result in the information no longer being de-identified within the meaning of that definition.

The section 171(1) offence addresses the growing risk of adversarial re-identification attacks on pseudonymised or anonymised datasets, including linkage attacks that combine de-identified data with external datasets to identify individuals. The mental element—knowingly or recklessly—again requires more than negligence.

Section 171(3) DPA 2018 mirrors the section 170(2) defences: it is a defence to prove the re-identification was (a) necessary for preventing, investigating, or detecting crime; (b) required or authorised by enactment, rule of law, or court order; or (c) justified as being in the public interest. Section 171(4) DPA 2018 provides additional reasonable-belief defences, including a special carve-out for journalistic, academic, artistic, or literary re-identification conducted in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest (section 171(4)(c)), and for effectiveness testing under section 172 DPA 2018 (section 171(4)(d)).

Section 171(5) DPA 2018 creates a secondary offence: it is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified where the person does so (a) without the consent of the controller responsible for de-identifying the personal data, and (b) in circumstances in which the re-identification was an offence under subsection (1). This criminalises downstream use of unlawfully re-identified data by persons other than the original re-identifier.

Alteration of personal data to prevent disclosure — Section 173 DPA 2018

Section 173(1) DPA 2018 criminalises evidence tampering in the data-protection context. A person commits an offence if the person alters, defaces, blocks, erases, destroys, or conceals personal data with the intention of preventing disclosure of all or part of the data that the person is or may be required to make by an information notice or an assessment notice issued by the Information Commissioner under sections 142 or 146 DPA 2018. This offence protects the integrity of the Commissioner's investigatory process and carries the same penalty regime as sections 170 and 171.

Penalties — Section 196 DPA 2018

Section 196(2) DPA 2018 sets out the penalty regime for offences under sections 132, 144, 148, 170, 171, and 184. A person who commits any of these offences is liable:

(a) on summary conviction in England and Wales, to a fine (unlimited since the Legal Aid, Sentencing and Punishment of Offenders Act 2012 removed the statutory maximum for summary offences tried in a magistrates' court); (b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum (currently £5,000 in Scotland and Northern Ireland); or (c) on conviction on indictment, to a fine.

Critically, the DPA 2018 does NOT provide for imprisonment for any data-protection criminal offence. Section 196(2)(c) specifies only a fine on conviction on indictment, with no custodial term. This represents a significant policy choice by Parliament and a departure from certain other information-security offences under UK law, such as the Computer Misuse Act 1990, which does provide for imprisonment. The absence of custodial penalties reflects the legislative view that administrative fines under Article 83 UK GDPR (reaching up to £17.5 million or 4% of global turnover) and unlimited criminal fines provide sufficient deterrence and punishment for data-protection breaches.

Section 196(3)–(5) DPA 2018 grants courts ancillary forfeiture powers where a person is convicted of an offence under section 170 (unlawful obtaining) or section 184 (obstruction of execution of a warrant). The court may order a document or other material to be forfeited, destroyed, or erased if it has been used in connection with the processing of personal data and it appears to the court to be connected with the commission of the offence, subject to a safeguard requiring the court to hear from any third-party claimant to the material before making the order.

Prosecution and procedure — Sections 197 and 199 DPA 2018

Section 197(1) DPA 2018 restricts the power to institute criminal proceedings. In England and Wales, proceedings for an offence under the Act may be instituted only by the Information Commissioner or by or with the consent of the Director of Public Prosecutions. In Northern Ireland, only the Information Commissioner or the Director of Public Prosecutions for Northern Ireland may institute proceedings (section 197(2) DPA 2018). This gatekeeping mechanism ensures that trivial or vexatious private prosecutions do not undermine the coherent enforcement strategy overseen by the ICO and the CPS.

Section 197(3)–(4) DPA 2018 extends the limitation period for section 173 (alteration of data to prevent disclosure) summary prosecutions. Summary proceedings may be brought within six months beginning with the day on which the prosecutor first knew of evidence sufficient to bring the proceedings, provided such proceedings are brought within three years of the offence itself. A certificate signed by or on behalf of the prosecutor stating the day on which the six-month period began is conclusive evidence of that fact (section 197(5)–(6) DPA 2018).

Section 199 DPA 2018 provides that offences under the Act are recordable offences for the purposes of the Police and Criminal Evidence Act 1984 and the Police and Criminal Evidence (Northern Ireland) Order 1989, meaning fingerprints and DNA samples may be taken from persons arrested for or charged with such offences.

Relationship to administrative enforcement

The criminal-offence regime operates in parallel with the ICO's civil enforcement powers under Article 58 UK GDPR and DPA 2018 sections 149–157. A single course of conduct may trigger both an administrative penalty notice (fine) and a criminal prosecution, though the ICO and CPS will coordinate to avoid duplicative punishment for the same harm. Criminal prosecution is typically reserved for cases involving deliberate, serious, and systemic unlawful processing—particularly insider threats, data theft for profit, and wilful obstruction of the Commissioner's investigations. The vast majority of data-protection enforcement in the United Kingdom proceeds through the administrative route, not criminal prosecution.

Source: Data Protection Act 2018, section 170 Source: Data Protection Act 2018, section 171 Source: Data Protection Act 2018, section 173 Source: Data Protection Act 2018, section 196 Source: Data Protection Act 2018, section 197

The Information Commissioner's Office (ICO) published comprehensive Data Protection Fining Guidance in March 2024 setting out when it will impose administrative fines under Article 83 UK GDPR and how it calculates the appropriate amount. The guidance replaces sections of the November 2018 Regulatory Action Policy and applies to all fines issued under the UK GDPR and Data Protection Act 2018 (DPA 2018), including new cases and ongoing investigations where a notice of intent has not yet been issued. It does not apply to fines under the Privacy and Electronic Communications Regulations 2003 (PECR).

Five-step fining methodology — March 2024 Guidance

The March 2024 Guidance establishes a five-step approach to calculating an appropriate fine, which the ICO applies holistically rather than mechanistically. The five steps are:

Step 1: Assessment of seriousness of the infringement. The ICO evaluates the nature, gravity, and duration of the infringement by reference to the Article 83(2)(a) factors and categorises the breach according to degree of seriousness (low, medium, high, or very high seriousness). This assessment examines the nature of the processing, scope of processing, number of data subjects affected, level of damage suffered, whether the infringement was intentional or negligent, and the duration of the infringement. The Guidance clarifies that the assessment of intentionality or negligence examines the individual circumstances of each case; examples of evidence the ICO will consider include whether senior management authorised the unlawful processing, but such evidence is illustrative rather than determinative.

Step 2: Determination of the applicable statutory maximum. The ICO identifies whether the infringement falls within the "standard maximum amount" under Article 83(4) UK GDPR (£8.7 million or 2% of worldwide annual turnover, whichever is higher) or the "higher maximum amount" under Article 83(5) UK GDPR (£17.5 million or 4% of worldwide annual turnover, whichever is higher). The higher maximum applies to infringements of the core processing principles under Articles 5, 6, 7, and 9 UK GDPR, data-subject rights under Articles 12–22, and international-transfer requirements under Articles 44–49. For undertakings (economic entities that may include parent companies with decisive influence over the infringing controller or processor), the ICO determines the "total worldwide annual turnover in the preceding financial year" by reference to the entire undertaking, not solely the legal entity that committed the breach. The Guidance explains how the ICO will assess whether a parent company exercises decisive influence, taking into account factors such as ownership structure, financial dependency, operational integration, and governance oversight.

Step 3: Calculation of a starting point. The ICO applies a percentage of the applicable statutory maximum based on the seriousness categorisation determined at step 1. The Guidance sets out indicative percentage ranges for each seriousness category. For undertakings, this percentage is applied to the higher of the fixed sterling cap or the turnover-based percentage cap. The ICO will generally use annual turnover as the primary indicator of an organisation's size and financial position, but will also consider other financial indicators such as profits, net assets, or dividends where relevant. For organisations that are not undertakings (including public authorities, sole traders, and small entities without significant turnover), the starting point is determined by reference to the fixed sterling cap and the organisation's financial position.

Step 4: Adjustment for aggravating and mitigating factors. The ICO considers the Article 83(2) factors not already accounted for at step 1, including: any action taken to mitigate damage suffered by data subjects; the degree of responsibility taking into account technical and organisational measures implemented under Articles 25 and 32; any relevant previous infringements; the degree of cooperation with the Commissioner to remedy the breach and mitigate adverse effects; the categories of personal data affected; how the infringement became known to the Commissioner (whether by breach notification, complaint, or proactive disclosure); compliance with previous ICO measures under Article 58(2); adherence to approved codes of conduct or certification mechanisms; and any other aggravating or mitigating factors, including financial benefits gained or losses avoided as a result of the infringement. The Guidance clarifies that cooperation beyond the ordinary legal duty of cooperation under Article 31 UK GDPR and DPA 2018 section 63 may be treated as a mitigating factor, including where a controller or processor responds to ICO requests in a manner that enables the enforcement process to conclude significantly more quickly or effectively.

Step 5: Final review for effectiveness, proportionality, and dissuasiveness. The ICO conducts a holistic review of the proposed fine amount in light of all the circumstances of the case to ensure the fine meets the Article 83(1) UK GDPR requirement that administrative fines be "effective, proportionate and dissuasive in each individual case." At this stage the ICO may adjust the fine amount (upward or downward) to ensure it achieves the statutory objective. For public authorities, the ICO applies its "public sector approach": it will only issue a fine in the most egregious cases where infringements are especially serious, and the fact that the organisation is a public authority is relevant to the assessment of the nature of the processing (step 1), the determination of the maximum fine (step 2), and the financial position used at step 3. The ICO may reduce the overall fine on a public body at step 5, provided the fine remains effective, proportionate, and dissuasive.

In exceptional circumstances, the ICO may further reduce a fine where a controller or processor is unable to pay the proposed amount because of its financial position. The Guidance states that the ICO is not bound by previous fining decisions, but it will have regard to the level of fines set in previous cases where relevant and will explain the reasons for the fine amount in each case to ensure transparency.

Leading ICO enforcement decisions — illustration of the fining framework in practice

The March 2024 Fining Guidance has been applied in a series of major ICO enforcement actions, predominantly targeting security failures under Article 32 UK GDPR following cyber-attacks:

Advanced Computer Software Group Ltd (March 2025) — £3.07 million. The ICO fined Advanced £3.07 million for security failings that compromised the personal data of 79,404 individuals and caused disruption to the provision of essential healthcare services, including NHS 111 services. This was the ICO's first monetary penalty imposed directly on a processor under the UK GDPR, signalling that processors will be held directly accountable for breaches of their Article 28 and Article 32 obligations. The ICO's investigation found that Advanced's subsidiary had failed to implement appropriate technical and organisational measures to protect personal data processed on behalf of its controller customers, including gaps in the deployment of multi-factor authentication (MFA), insufficient vulnerability scanning, and inadequate patch management. The ICO initially proposed a fine of £6.1 million, which was reduced to £3.07 million following a voluntary settlement under the ICO's informal settlement practice. The penalty notice applied the March 2024 Fining Guidance and emphasised that Advanced processes personal data for Critical National Infrastructure sectors (health and social care) and the Commissioner expected Advanced to be aware of the health sector's status as Critical National Infrastructure and the severity of risks to data subjects' rights and freedoms.

23andMe Inc. (2025) — £2.31 million. The ICO fined US genealogy company 23andMe £2.31 million for security failures following a massive data breach in 2023 that exposed personal data including genetic information. The fine reflects the ICO's heightened scrutiny of security measures for processing special-category personal data under Article 9 UK GDPR (genetic data) and the cross-border applicability of the UK GDPR to non-UK controllers processing UK data subjects' information.

Capita plc (October 2025) — £14 million settlement. The ICO agreed to a £14 million settlement with Capita, the largest ICO settlement to date. The original proposed fine was £45 million, but Capita received a substantial reduction for settling early, admitting the infringement, and agreeing not to appeal. The breach affected 6.6 million people across multiple organisations. The core failure was a 58-hour delay in quarantining a compromised device after detecting suspicious activity; the ICO found that Capita failed to act quickly enough to contain the breach. The settlement illustrates the ICO's use of early-resolution incentives to reduce regulatory costs and secure admissions, mirroring enforcement settlement frameworks used by the Financial Conduct Authority and Ofcom.

British Airways plc (October 2020) — £20 million. The ICO imposed a £20 million fine on British Airways for security failures that led to a cyber-attack between June and September 2018 in which a malicious actor compromised internal BA systems, traversed the network, and edited a Javascript file on BA's website to exfiltrate customer payment-card data and login credentials. The ICO found that BA failed to process personal data in a manner ensuring appropriate security, in breach of Article 5(1)(f) and Article 32 GDPR. The ICO's initial notice of intent proposed a fine of £183.39 million (1.5% of BA's worldwide turnover), which was reduced to £20 million following representations and in light of the economic impact of the COVID-19 pandemic on the aviation sector. This remains the ICO's second-largest final monetary penalty to date and illustrates the ICO's willingness to impose fines at the top end of the statutory scale for serious security breaches involving large volumes of personal data, while exercising discretion to account for an organisation's financial position and external economic conditions under the Article 83(1) proportionality requirement.

Police Service of Northern Ireland (2024) — £750,000. The ICO fined the Police Service of Northern Ireland £750,000 for a data breach that exposed the personal information of its entire workforce, including officers, staff, and their locations. This fine illustrates the ICO's application of the public-sector approach: the fine was issued only after a determination that the breach was egregious and especially serious, and the amount reflects a reduction from what would have been imposed on a private-sector undertaking of equivalent scale. The breach raised acute risks given the sensitive nature of policing data and the potential for targeting of officers and staff.

DPP Law Ltd (April 2025) — £60,000. The ICO fined DPP Law Ltd, a Merseyside-based law firm, £60,000 following a cyber-attack in June 2022 that led to highly sensitive personal data (including data related to crime, military, family fraud, sexual offences, and actions against the police) being published on the dark web. The breach affected clients subject to statutory anonymity protections under sections 44–45A of the Youth Justice and Criminal Evidence Act 1999 and sections 39 and 49 of the Children and Young Persons Act 1933. The ICO found infringements of Articles 5(1)(f), 32(1), 32(2), and 33 UK GDPR (the Article 33 breach notification infringement related to DPP's failure to notify the Commissioner within 72 hours as required). The penalty notice applied the March 2024 Fining Guidance and calculated a single penalty ensuring the total did not exceed the maximum for the gravest infringement (Article 5(1)(f), subject to the £17.5 million / 4% higher maximum). The modest fine amount reflects DPP's size (fewer than 250 staff) and financial position.

Emerging enforcement trends — 2024–2026

ICO enforcement activity in 2024–2025 reflects a strategic shift: the ICO issued fewer fines but collected substantially more in monetary penalties. In the first half of 2025, the ICO issued six fines totalling approximately £5.6 million, already more than double the £2.7 million collected across 18 fines throughout the whole of 2024. The average fine rose from approximately £150,000 in 2024 to over £2.8 million in the first half of 2025. Two-thirds of fines in the first half of 2025 were for UK GDPR breaches (predominantly Article 32 security failures), compared to one-sixth in 2024; the remainder were for Privacy and Electronic Communications Regulations (PECR) marketing violations. This signals the ICO's prioritisation of data-protection security enforcement over telemarketing and spam enforcement, and a preference for fewer, larger, more impactful penalties over high-volume low-value fines.

The ICO has indicated it will introduce a formal settlement procedure offering structured fine reductions for early resolution: discounts of up to 40% for settlement before a notice of intent, 30% after notice of intent, and 20% after written representations. This framework was the subject of a consultation in late 2025 on draft Data Protection Enforcement Procedural Guidance and is expected to be formalised in 2026. The settlement framework aims to reduce the cost of contested proceedings for both the ICO and the regulated entity and incentivise early engagement and admissions.

Source: Data Protection Fining Guidance, March 2024 Source: ICO publishes new fining guidance, 18 March 2024 Source: Advanced Computer Software Group Ltd monetary penalty notice, 27 March 2025 Source: British Airways plc penalty notice, 16 October 2020 Source: DPP Law Ltd monetary penalty notice, 14 April 2025 Source: ICO public sector approach