Under the Data Protection Act 1998, the Information Commissioners’ Office (ICO) could only impose a monetary penalty of up to £500,000.

The Privacy and Electronic Communication Regulation 2003 also gives the regulator the ability to impose a fine of £500,000 for poor marketing practices.  This will change when the Electronic Privacy Regulation (ePrivacy) comes in – expected to be mid-late 2020 – and fines for this will be in line with the GDPR.

The GDPR raises the bar significantly on the Data Protection Act 1998, imposing huge fines and other penalties on data controllers and data processors for non-compliance and failing to prove how you comply – on demand.

Here, we explain the implications of non-compliance, what it means for your business and how this can be avoided.

Fines & Penalties

The ICO are now armed with several options to impose fines and non-financial penalties on your business, however it is the fines that get the most publicity.

How Are Fines Decided?

Although GDPR is a EU-wide legislation, fines are decided upon and administered by the member state in which the breach occurred. For example, a breach in the UK would be overseen by the ICO, irrespective of where the data subjects were located.

As a guide, the following criteria are used to determine the amount of a fine on a firm that is not compliant.  If you fall into any of these criteria, then please get in touch with our privacy team today.

Nature of infringement: the number of people affected, damage suffered, the duration of the infringement the purpose of processing.

Intention: whether the infringement is intentional or negligent.

Mitigation: actions taken to mitigate damage to data subjects

Preventative measures: how much technical and organisational preparation the firm had previously implemented to prevent non-compliance.

History: past infringements, which may be interpreted to include infringements under the Data Protection Act 1998 (not just the GDPR), past administrative corrections under GDPR, from warnings to bans on processing and fines.

Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement.

Data type: what types of data the infringement impacts; see special categories of personal data

Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party.

Certification: whether the firm had qualified under approved certifications or adhered to codes of conduct.

Other: other aggravating or mitigating factors may include financial impact on the organisation from the infringement.


There are two tiers of administrative fine that can be levied under the GDPR for non-compliance.

1.     Up to €10 million, or 2% of annual global turnover – whichever is greater; or

2.     Up to €20 million, or 4% of annual global turnover – whichever is greater

If the ICO deem you worthy of a monetary penalty, then the nature of your breach or failure of compliance will dictate which tier you fall under.

Fines of up to €10 million, or 2% of annual global turnover can be issued for:

  • Infringements of Article 8 – conditions for children’s consent;
  • Infringements of Article 11 – processing that doesn’t require identification;
  • Infringements of Articles 25-39 – general obligations of processors and controllers;
  • Infringements of Article 42 – certification;
  • Infringements of Article 43 – certification bodies

Fines of up to €20 million, or 4% of annual global turnover can be issued for:

  • Infringements of Article 5 – data processing principles
  • Infringements of Article 6 – lawfulness of processing
  • Infringements of Article 7 – conditions for consent
  • Infringements of Article 9 – processing of special categories of data
  • Infringements of Article 12-22 – data subject rights
  • Infringements of Article 44-49 – data transfers to third countries or international organisations

These fines may seem unrealistic or excessive, however, in the short time GDPR has been active across Europe, although the European regulators have issued the most number of fines, the UK ICO has issued the highest “intention to fine” notices – against British Airways and Marriot Hotels – £183m and £99m respectively.

These fine notices were issued within days of each other – instantly bringing the total to £282m under GDPR. A large sum, considering the largest fine issued to Facebook under the Data Protection Act 1998 was £500,000.

This also addresses the assumption that all big companies must have their house in order, so we’re safe to work with them. – clearly not so, which is why due diligence is such a vital element.  Do your homework and if in doubt, consult our specialist team.

Other significant fines across Europe have included:

  • Germany – €14,500,000 – non-compliance of the general data processing principles
  • Austria – €18,000,000 – insufficient legal basis for processing
  • France – €50,000,000 – various failures under data protection
  • Bulgaria – €2,600,000 – insufficient technical and security processes to protect data

Many fines also been issued by Supervisory Authorities for hundreds of thousands of Euros for different types of breaches.


The ICO can also impose restrictions on your business operation (instead of, or in addition to a fine).

Information Notices

This requires a data controller or data processor – your business, or a supplier – to provide information that the ICO reasonably requires to carry out their functions.

If you’re not able to provide the information they have requested, then this immediately suggests you are not able to demonstrate a reasonable degree of compliance. That said, if you are able to demonstrate the information is scheduled for completion as part of your privacy project plan (and it is on course for completion), then they will be far more lenient.

Assessment Notices

An assessment notice gives the ICO incredible powers – they may demand to enter your premises and examine your documents, equipment and other records. They may also demand explanations for activities, observe and interview staff.

The ICO are known for conducting raids on rogue marketers and this type of enforcement has been extended to wider processing activities under GDPR.

Enforcement Notices

These can be issued where the ICO is satisfied that one of four types of compliance failure are occurring.

An enforcement notice will require you to take specified steps, refrain from activities, or both.  As an example, your business could be barred from processing data until a specific time, or the ICO decide otherwise. Unable to receive personal data, use personal data or send personal data out, this would close most businesses down.

The Fall Out

If you happen to be on the receiving end of an ICO investigation, then you should take swift action to remedy your failings.

While you may be late addressing these failings, it is never too late to begin – and recruiting professional guidance may look favourably with the ICO as you are taking your obligations seriously.

We have helped many companies off the back of an impending ICO investigation – for both marketing breaches and general data protection breaches.  Sometimes, we have found loop holes in your activity that can be closed very quickly, to great effect.

If you do receive a fine or other sanction, however, then you will subject to press release from the ICO – and due to the focus on GDPR enforcement, you will attract attention from the mainstream, regional, local and trade press.

Data Subject Access Requests

Off the back of this negative attention, it has been known for data subjects to submit Subject Access Requests to find out exactly what information you have on them and if your failings have any impact on their personal data. This puts additional pressure on the business to administer this request in ONE CALENDAR MONTH.

Civil Enforcement/No Win, No Fee

Depending on the nature of the enforcement, you could also see yourself on the end of civil enforcement cases, where data subjects issue legal proceedings against you for failing to offer appropriate protection to their personal data.

The Morrisons case is one to note – each of the 100,000 employees affected by the Morrisons data breach are trying to take their employer to court for damage and distress caused.

With the end of PPI, specialist claims solicitors are now offering No Win, No Fee cases to people affected by GDPR failings in organisations.

Remember, it is your LEGAL DUTY to provide an appropriate level of protection to the personal data you process. It is a not a choice you can simply make.