The ICO exists to empower you through information.

  1. When deciding whether to issue a penalty notice, and in determining the amount of the fine, the Commissioner must have regard (so far as relevant) to the factors listed in Articles 83(1) and (2) UK GDPR (for processing that falls under the UK GDPR) or section 155(3) DPA 2018 (for processing that falls under Part 3 or Part 4 DPA 2018 or a failure to comply with an information notice, assessment notice or enforcement notice).15 These factors include the requirement that, in each individual case, a fine imposed by the Commissioner must be effective, proportionate and dissuasive.16
  2. The factors set out in Article 83(2) UK GDPR17 that the Commissioner must have regard to are:

    (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

    (b) the intentional or negligent character of the infringement;

    (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;

    (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 UK GDPR;

    (e) any relevant previous infringements by the controller or processor;

    (f) the degree of cooperation with the Commissioner, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

    (g) the categories of personal data affected by the infringement;

    (h) the manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the controller or processor notified the infringement;

    (i) where measures referred to in Article 58(2) UK GDPR have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

    (j) adherence to approved codes of conduct pursuant to Article 40 UK GDPR or approved certification mechanisms pursuant to Article 42 UK GDPR; and

    (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
  3. Please see Circumstances in which the Commissioner would consider it appropriate to issue a penalty notice for a detailed explanation as to how the Commissioner takes these factors into account.


15 Section 155(2) DPA 2018.

16 Article 83(1) UK GDPR and section 155(3)(l) DPA 2018. See further below for an explanation of how the Commissioner assesses whether a penalty is effective, proportionate and dissuasive.

17 A similar list of factors is set out in section 155(3) DPA 2018 in relation to penalties imposed in respect of infringements of the DPA 2018.