Unpacking the ICO new fining guidance: what you need to know

May 29th '24

Unpacking the Information Commissioner’s Office (ICO) new fining guidance: what you need to know


The ICO has introduced new fining guidance that provides a structured framework for determining fines under the UK’s data protection laws. This guidance offers critical insights into the factors the ICO considers when deciding to levy fines, ensuring transparency and understanding for organisations subject to uk data protection regulations.


  • Step-by-step process of fine calculation


Nature, gravity, and duration of infringement

The information commissioner’s office guidance outlines a clear methodology, starting with the assessment of the nature, gravity, and duration of the infringement. This evaluation focuses on the seriousness of the violation, considering both the scale and the potential or actual harm caused to data subjects.


Aggravating and mitigating factors

The guidance identifies both aggravating and mitigating factors that could influence the final fine amount. Aggravating factors may include deliberate violations or failures to cooperate with investigations, whereas mitigating factors might involve proactive measures taken by the organisation to address and rectify the breach before the information commissioner’s office intervention.


ICO: effectiveness, proportionality, and dissuasion

Fines must be effective, proportionate, and dissuasive. The ICO aims to ensure that penalties are substantial enough to discourage non-compliance while being fair and commensurate with the severity of the infringement.


  • Calculation based on turnover


Determining the starting point

The starting point for fine calculation is based on the organisation’s turnover. The ICO uses illustrative tables to provide clarity on how fines are proportionally related to the financial standing of the organisation. This method ensures that fines are significant yet manageable relative to the size and economic capacity of the business.


Concept of an undertaking

An ‘undertaking’ is defined according to uk competition law, considering a single economic unit rather than a strict commercial or tax law perspective. This means the turnover of the entire group or parent company may be considered, impacting the potential fine size significantly.


  • Specific factors influencing fine calculation


Systematic and extensive profiling

The ICO highlights that large-scale profiling and processing of personal data can increase the seriousness of an infringement. This includes activities that involve systematic and extensive profiling of data subjects, such as in the case of the easylife fine.


Number of data subjects affected

The guidance clarifies that both the actual and potential number of data subjects affected will be considered. This approach raises the stakes for organisations, as potential impacts, not just actual damages, can influence the fine.


Types of personal data

Certain types of data, such as financial, location, and special category data, are deemed particularly sensitive. Infringements involving these data types may attract higher fines due to the increased risk and potential harm to data subjects.


Discrimination and psychological harm

The ICO now explicitly includes non-material damage, such as discrimination and psychological harm, as factors in fine calculations. This reflects a broader understanding of the potential impacts of data breaches and the importance of protecting data subjects from various forms of harm.


  • Cooperation and mitigation


Proactive measures and cooperation

The ICO favours organisations that demonstrate proactive measures to mitigate breaches. Cooperation with supervisory authorities and prompt, transparent actions can significantly reduce the severity of fines. Delayed or obstructive behaviours, however, are likely to be seen as aggravating factors.


Reporting to the NCSC

While not a legal obligation, reporting cybersecurity incidents to the National Cyber Security Centre (NCSC) and following their guidance can be seen as a positive mitigating factor. This demonstrates a commitment to addressing and managing data breaches effectively.


 Comparison with EDPB guidance

The ICO’s approach aligns with the European Data Protection Board (EDPB) guidance, indicating a convergence in methodologies for calculating administrative fines across the uk and eu. This alignment provides additional clarity and consistency for organisations operating in multiple jurisdictions.


  • Practical implications for businesses


Practical tools and examples

The guidance includes practical tables and examples that help businesses understand the ICO’s approach to fines. These tools aid in assessing potential risks and preparing for compliance requirements, offering a clearer understanding of the financial implications of data protection violations.


 Case-by-case basis

Despite the structured approach, the ICO emphasises that each case will be treated individually, maintaining discretion in final decisions. This ensures that fines are tailored to the specific circumstances of each infringement, reflecting the unique aspects and context of each case.


  • Conclusion

The ICO’s new fining guidance provides a comprehensive framework that enhances transparency and predictability in the calculation of fines for data protection infringements. By outlining key factors and offering practical tools, the guidance supports organisations in understanding their compliance obligations and the potential financial consequences of non-compliance. This structured yet flexible approach ensures that fines are fair, proportionate, and effective in promoting data protection compliance across the UK.


If you need assistance with any of the ICO requirements for firms under UK GDPR or the DPA 2018, please contact us.


About us

At LS Consultancy, we provide a cost-effective compliance support including data protection compliance support services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.


Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.


Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.


Explore our full range today.


Contact us


Why Not Download our FREE Brochures! Click here.


Need A Regulatory Marketing Compliance Consultant? A Bit More About Us


Call Us Today on 020 8087 2377 or send us an email.


We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…



Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.


Facebook | Instagram | LinkedIn | X (formally Twitter) | YouTube


Contact us