Skip to content

How Does the ICO Decide to Fine a Company in England?

Table of Contents

Businesses must be aware of financial penalties for not complying with data protection rules. The Information Commissioner’s Office (ICO) is well-known as the independent body that enforces data protection rules. The primary data protection law is the General Data Protection Regulation (GDPR). The ICO helps businesses comply with the GDPR and enforces action against non-compliant companies. If the ICO believes your business is breaching the GDPR, it may impose a fine of up to £17.5m. This article will explore how the ICO decides whether to fine a business and how much the subsequent penalty will be. Accordingly, your business can evaluate the cost of GDPR compliance against the potential fine.

Why Does the ICO Impose Fines?

The ICO ensures businesses handle data safely and fairly. Without repercussions, companies may try to reduce costs by breaching data protection rules, such as ignoring Subject Access Requests. Therefore, by issuing fines, the ICO deters businesses from breaching GDPR rules.  

When Does the ICO Impose Fines?

Theoretically, the ICO can impose a fine for any breach of the GDPR.

Realistically the ICO will issue financial penalties in respect of the following GDPR violations:

  • failing to handle Subject Access Requests correctly or within the correct timeframe;
  • disclosing sensitive personal information to third parties without consent or lawful reason;
  • failing to report serious data breaches to the ICO within 72 hours;
  • exposing staff to unreasonable monitoring in the workplace;
  • failing to delete personal data within an appropriate period; and
  • suffering a data breach or cyber attack when your business could have prevented it with proper safeguards.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Much Could the ICO Fine My Business?

The ICO may issue fines of up to £17.5m. In addition, between 2020 and 2021, the ICO issued £42m of financial penalties within enforcement action against companies. In reality, excessive fines are rare and generally limited to significant breaches. Moreover, most fines are lower, as the corresponding data breaches will affect a small number of people. Nevertheless, your business may still receive a fine in the region of tens of thousands of pounds for GDPR breaches.

Mitigating Circumstances

Depending on the nature of the data protection breach, the ICO may acknowledge mitigating circumstances and reduce the fine.

Amongst other things, the ICO may treat the following as mitigating circumstances:

  • a breach causing limited harm to individuals;
  • evidence of implementing systems that lower the risk of a data breach, such as staff training and written policies concerning the GDPR;
  • if this is the first time the ICO has found your company in breach; or
  • your organisation appoints a Data Protection Officer to ensure compliance with data protection rules.

Key Takeaways

Overall, the ICO aims to help businesses protect customer data. By issuing penalties to non-compliant businesses, companies are less likely to breach GDPR rules. However, the ICO will consider mitigating circumstances and may reduce penalties accordingly. In addition, the ICO provides practical guidance on its website. This guidance can help your business avoid enforcement notices and financial penalties and achieve good data protection practices.

If you need help with data protection rules and ICO investigations into potential violations of the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Does the ICO issue lesser penalties than fines to companies that have breached the GDPR?

Yes, the ICO can provide the equivalent of a written warning and ask a business to implement avoidance measures. However, the ICO is only likely to do so to first-time offenders who have only committed a minor violation of the GDPR with minimal impact on individuals.

Is the UK GDPR and EU GDPR the same thing?

Essentially, yes. The General Data Protection Regulation 2018 is known as the UK GDPR, GDPR 2018 and EU GDPR. This can be confusing when making internet searches for guidance, but they all contain the same rules and principles.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards