The ICO exists to empower you through information.

 

  1. The Commissioner will determine a starting amount for the fine based on the seriousness of the infringement. The Commissioner will categorise the infringement according to its degree of seriousness and apply a starting point based on a percentage of the relevant applicable statutory maximum.
  2. The Commissioner will use the following categories to determine the starting amount:
    • for the most serious infringements, the Commissioner will use a starting point of between 20% and 100% of the relevant legal maximum;
    • for infringements that have a medium degree of seriousness, the Commissioner will use a starting point of between 10% and 20% of the relevant legal maximum; and
    • for infringements that have a lower degree of seriousness, the Commissioner will use a starting point of between 0% and 10% of the relevant legal maximum.
  1. There is no pre-set ‘tariff’ of starting points for different types of infringement, given the range of conduct that may infringe the UK GDPR or DPA 2018. This is a case-specific assessment that, based on the guidance about the Commissioner’s approach to seriousness set out above, will take into account:
    • the nature, gravity and duration of the infringement;
    • whether it was intentional or negligent; and
    • the categories of personal data affected.
  1. As a general rule, the more serious an infringement, the more likely the Commissioner is to choose a higher starting amount within the relevant category. The percentage range for the most serious infringement category is wider than those for infringements with a medium or lower degree of seriousness. This is to allow the Commissioner greater flexibility in deciding on the appropriate fine for more serious infringements. It also recognises that infringements with a lower or medium degree of seriousness are unlikely to warrant a fine exceeding 10% or 20% of the relevant legal maximum respectively. The Commissioner will keep these percentage ranges under review as this guidance is applied in practice.
  2. Where an undertaking’s total worldwide annual turnover exceeds £435 million (in relation to the standard maximum amount) and £437.5 million (in relation to the higher maximum amount), the Commissioner will calculate the range for the starting amount at Step 1 by reference to the turnover-based percentage figure specified as the relevant statutory maximum. In all other cases, the Commissioner will calculate the range for the starting amount at Step 1 as a percentage of the fixed amount specified as the relevant statutory maximum.
  3. The Commissioner will express the assessment of the level of seriousness at Step 1 as a percentage of the relevant statutory maximum applicable to the infringement. For example, the Commissioner may decide that an infringement falling within the most serious category warrants a starting point of 40% of the higher maximum amount (falling within the 20% to 100% range). For a controller or processor to which the fixed amount applies, this would in practice equate to a starting point of £7 million (40% of £17.5 million).
  4. For ease of reference, the way in which the Commissioner will apply the starting points to the standard maximum amount and the higher maximum amount is set out in Table A below.

Table A: Application of the starting amount at Step 1 based on the standard maximum amount or higher maximum amount

  Lower degree of seriousness Medium degree of seriousness Most serious
  Fixed amount Turnover based Fixed amount Turnover based Fixed amount Turnover based
Standard maximum amount £0 to £870,000 0% to 0.2% of turnover £870,000 to £1.74 million 0.2% to 0.4% of turnover £1.74 million to £8.7 million 0.4% to 2% of turnover
Higher maximum amount £0 to £1.75 million 0% to 0.4% of turnover £1.75 million to £3.5 million 0.4% to 0.8% of turnover £3.5 million to £17.5 million 0.8% to 4% of turnover