ICO provides guidance on calculating monetary penalties

On October 1, 2020, the Office of the UK Information Commissioner (ICO) released a draft legal guide that provides clarity on how privacy laws are regulated and enforced in the UK. The guidelines, which stand alongside the ICO directive for regulatory measures, cover the range of enforcement powers of the ICO. Most interesting, however, is the section on how the ICO calculates fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR). .

The ICO has launched a public consultation on its draft policy, which will remain open until November 12, 2020. As legal guidelines, the guidelines will then be submitted to Parliament for approval.

The leadership

The guidelines describe a “nine-step mechanism” for calculating the proposed fines, which is composed as follows:

1. Assessment of the severity taking into account relevant factors in accordance with Section 155 DPA 2018 The considerations applied here are known and correspond to those of Article 83 (2) of the GDPR. For example type, severity and duration of the infringement, measures to reduce damage, degree of cooperation with the ICO, categories of personal data, previous data protection deficiencies, etc.
2. Assessment of the fault of the organization in question The degree of fault of the organization is taken into account, that is, the degree of error by the controller or processor. This is determined by the evaluation of the technical and organizational measures of the organization by the ICO. The ICO will also take into account the intentional or negligent nature of the incident.
3. Determination of sales The ICO will review the relevant accounts and, if necessary, seek expert financial or accounting advice to determine the amount of sales. In cases where the turnover or equivalent is minimal, the ICO will give greater weight to the factors considered in the other steps.
4th Calculation of a suitable starting point The ICO will then agree on a starting point for calculating the penalty (using a matrix – see image 1) based on the severity of the violation and the degree of fault. The appropriate percentage is then applied to sales or an equivalent (as determined in step 3).

· A low severity violation combined with a low / no fault level could result in the corresponding percentage of 0.125% being applied to the relevant sales.

· A violation of the severity level “very high” combined with the level of “deliberate” guilt may result in the corresponding percentage of 3% being applied to the relevant turnover.

5. Consideration of relevant aggravating and mitigating features The ICO will then take into account all other aggravating and mitigating factors that apply to the circumstances of the individual case, such as B. financial gain or loss avoided, directly or indirectly, by the breach. This may increase or decrease the number in Step 4, depending on the circumstances.
6th Consideration of financial resources The ICO will then examine whether the organization can pay the proposed fine and whether this could lead to undue financial difficulties. This is especially important when an organization’s solvency is unclear or its financial, trade, or competitive status has recently changed.
7th Assessment of the economic impact In performing its regulatory functions, the ICO must take into account that it is desirable to promote economic growth and ensure that it only takes regulatory action when necessary. Where appropriate, economic impacts across the sector need to be taken into account.
8th. Assessment of effectiveness, proportionality and deterrence The ICO will ensure that the amount of the proposed fine is in effect. relatively; and deterrent and will adjust it accordingly.
9. Reduction of early payment The ICO will reduce the fine by 20% if it receives full payment of the fine within 28 calendar days of the notification being sent.


While these guidelines are in draft form, they provide welcome clarity on the ICO’s methodology in calculating fines.

Step 4 of “Calculating a suitable starting point” is new and will be particularly helpful for organizations in order to record their incident and the factors specific to them using the sliding scale matrix of the ICO.

Step 7 is also aimed at providing some level of convenience in the current economic circumstances so that when calculating a penalty the ICO can also take into account that it is desirable to encourage economic growth and the impact across the sector.

Here you will also find our blog post on the German model for fines under the GDPR.

Image 1 – Step 4 matrix

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...