We are currently consulting on this draft guidance.
- The Commissioner will determine a starting amount for the fine based on the seriousness of the infringement. The Commissioner will categorise the infringement according to its degree of seriousness and apply a starting point based on a percentage of the relevant applicable statutory maximum.
- The Commissioner will use the following categories to determine the starting amount:
- for the most serious infringements, the Commissioner will use a starting point of between 20% and 100% of the relevant legal maximum;
- for infringements that have a medium degree of seriousness, the Commissioner will use a starting point of between 10% and 20% of the relevant legal maximum; and
- for infringements that have a lower degree of seriousness, the Commissioner will use a starting point of between 0% and 10% of the relevant legal maximum.
- There is no pre-set ‘tariff’ of starting points for different types of infringement, given the range of conduct that may infringe the UK GDPR or DPA 2018. This is a case-specific assessment that, based on the guidance about the Commissioner’s approach to seriousness set out above, will take into account:
- the nature, gravity and duration of the infringement;
- whether it was intentional or negligent; and
- the categories of personal data affected.
- As a general rule, the more serious an infringement, the more likely the Commissioner is to choose a higher starting amount within the relevant category. The percentage range for the most serious infringement category is wider than those for infringements with a medium or lower degree of seriousness. This is to allow the Commissioner greater flexibility in deciding on the appropriate fine for more serious infringements. It also recognises that infringements with a lower or medium degree of seriousness are unlikely to warrant a fine exceeding 10% or 20% of the relevant legal maximum respectively. The Commissioner will keep these percentage ranges under review as this guidance is applied in practice.
- Where an undertaking’s total worldwide annual turnover exceeds £435 million (in relation to the standard maximum amount) and £437.5 million (in relation to the higher maximum amount), the Commissioner will calculate the range for the starting amount at Step 1 by reference to the turnover-based percentage figure specified as the relevant statutory maximum. In all other cases, the Commissioner will calculate the range for the starting amount at Step 1 as a percentage of the fixed amount specified as the relevant statutory maximum.
- The Commissioner will express the assessment of the level of seriousness at Step 1 as a percentage of the relevant statutory maximum applicable to the infringement. For example, the Commissioner may decide that an infringement falling within the most serious category warrants a starting point of 40% of the higher maximum amount (falling within the 20% to 100% range). For a controller or processor to which the fixed amount applies, this would in practice equate to a starting point of £7 million (40% of £17.5 million).
- For ease of reference, the way in which the Commissioner will apply the starting points to the standard maximum amount and the higher maximum amount is set out in Table A below.
Table A: Application of the starting amount at Step 1 based on the standard maximum amount or higher maximum amount
|Lower degree of seriousness||Medium degree of seriousness||Most serious|
|Fixed amount||Turnover based||Fixed amount||Turnover based||Fixed amount||Turnover based|
|Standard maximum amount||£0 to £870,000||0% to 0.2% of turnover||£870,000 to £1.74 million||0.2% to 0.4% of turnover||£1.74 million to £8.7 million||0.4% to 2% of turnover|
|Higher maximum amount||£0 to £1.75 million||0% to 0.4% of turnover||£1.75 million to £3.5 million||0.4% to 0.8% of turnover||£3.5 million to £17.5 million||0.8% to 4% of turnover|