The ICO exists to empower you through information.

The Information Commissioner is responsible for monitoring and enforcing the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Commissioner can issue penalty notices for certain infringements of the UK GDPR or DPA 2018.

The Information Commissioner’s Office (ICO) consulted on new draft Data Protection Fining Guidance (the Fining Guidance) on 27 October 2023. The consultation closed on 27 November 2023. 

The formal power to impose fines rests with the Commissioner. In practice, the Commissioner is supported by the ICO, with the ICO’s staff acting under delegated authority from the Commissioner. Where this response refers to the ‘ICO’, ‘we’ or ‘our’ in the context of taking action in relation to the Fining Guidance it should, where relevant, be understood as a reference to the Commissioner taking action. 

We have considered respondents’ views carefully. Below, we summarise the key themes that emerged from the responses along with the ICO’s views. We also explain where changes have been made to the Fining Guidance as a result. This summary is not intended to be a comprehensive record of all the views expressed, nor to be a comprehensive response to all individual points raised by respondents. 

We thank everyone who took the time to comment and share their views.