The ICO exists to empower you through information.

  1. The Information Commissioner (the Commissioner) is responsible for monitoring and enforcing the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
  2. This guidance sets out the circumstances in which the Commissioner would consider it appropriate to exercise administrative discretion to issue a penalty notice. The Commissioner can issue penalty notices for infringements of the UK GDPR, Part 3 DPA 2018 (Law Enforcement Processing) or Part 4 DPA 2018 (Intelligence Services Processing). The Commissioner can also issue penalty notices for a failure to comply with an information notice, an assessment notice or an enforcement notice given under Part 6 DPA 2018. This guidance also explains how the Commissioner determines the amount of any fine imposed.
  3. The Commissioner has published this guidance in performance of the statutory obligation to publish guidance about penalty notices, as set out in section 160 DPA 2018. The Commissioner will have regard to this guidance when deciding whether to issue a penalty notice and when setting the amount of any fine. It has been presented to Parliament pursuant to Section 160(11) DPA 2018.
  4. This guidance replaces the sections about penalty notices in the Regulatory Action Policy published in November 2018. That policy previously set out the Commissioner’s guidance on when issuing a penalty notice is appropriate1 and the approach to determining the amount of any fine.2


1 Regulatory Action Policy, page 24.
2 Regulatory Action Policy, page 27.