- The Commissioner will determine a starting point for the fine based on the seriousness of the infringement. The Commissioner will categorise the infringement according to its degree of seriousness and apply a starting point based on a percentage of the relevant applicable statutory maximum.
- The Commissioner will use the following categories to determine the starting point:
-
- for infringements that have a high degree of seriousness, the Commissioner will use a starting point of between 20% and 100% of the relevant legal maximum;
- for infringements that have a medium degree of seriousness, the Commissioner will use a starting point of between 10% and 20% of the relevant legal maximum; and
- for infringements that have a lower degree of seriousness, the Commissioner will use a starting point of between 0% and 10% of the relevant legal maximum.
- There is no pre-set ‘tariff’ of starting points for different types of infringement, given the range of conduct that may infringe the UK GDPR or DPA 2018. This is a case-specific assessment that, based on the guidance about the Commissioner’s approach to seriousness set out above, will take into account:
-
- the nature, gravity and duration of the infringement;
- whether it was intentional or negligent; and
- the categories of personal data affected.
- As a general rule, the more serious an infringement, the more likely the Commissioner is to choose a higher starting point within the relevant category. The percentage range for infringements that have a high degree of seriousness is wider than those for infringements with a medium or lower degree of seriousness. This is to allow the Commissioner greater flexibility in deciding on the appropriate fine for more serious infringements. It also recognises that infringements with a lower or medium degree of seriousness are unlikely to warrant a starting point exceeding 10% or 20% of the relevant legal maximum respectively. The Commissioner will keep these percentage ranges under review as this guidance is applied in practice.
- Where an undertaking’s total worldwide annual turnover exceeds £435 million (in relation to the standard maximum amount) or £437.5 million (in relation to the higher maximum amount), the Commissioner will calculate the range for the starting point at Step 1 by reference to the turnover-based percentage figure specified as the relevant statutory maximum. In all other cases, the Commissioner will calculate the range for the starting point at Step 1 as a percentage of the fixed amount specified as the relevant statutory maximum.
- The Commissioner will express the assessment of the level of seriousness at Step 1 as a percentage of the relevant statutory maximum applicable to the infringement. For example, the Commissioner may decide that an infringement falling within the high degree of seriousness category warrants a starting point of 40% of the higher maximum amount (falling within the 20% to 100% range). In that example, for a controller or processor to which the fixed amount applies, this would in practice equate to a starting point of £7 million (40% of £17.5 million).
- For ease of reference, the way in which the Commissioner will apply the starting points to the standard maximum amount and the higher maximum amount is set out in Table A below.
Table A: Application of the starting point at Step 1 based on the standard maximum amount or higher maximum amount
Lower degree of seriousness | Medium degree of seriousness | High degree of seriousness | ||||
Fixed amount | Turnover based | Fixed amount | Turnover based | Fixed amount | Turnover based | |
Standard maximum amount | Up to £870,000 | Up to 0.2% of turnover | £870,000 to £1.74 million | 0.2% to 0.4% of turnover | £1.74 million to £8.7 million | 0.4% to 2% of turnover |
Higher maximum amount | Up to £1.75 million | Up to 0.4% of turnover | £1.75 million to £3.5 million | 0.4% to 0.8% of turnover | £3.5 million to £17.5 million | 0.8% to 4% of turnover |