Skip to content

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

Table of Contents

Data protection laws in the UK state that your business must safely handle, store and distribute personal data and sensitive information. The Information Commissioner’s Office (ICO) is the independent supervisory authority which ensures your business complies with data protection law. It can investigate alleged breaches of data protection laws such as the GDPR and issue your organisation a hefty fine. This article will explain when the Information Commissioner’s Office may investigate your company for breaching data protection law. This will help you to take appropriate action to avoid an investigation and potential enforcement action, which can include substantial fines from the ICO.

ICO’s Role

One of the primary purposes of the ICO is to act when your business fails to do any of the following:

  • provide quick responses to Subject Access Requests (SARs);
  • correctly handle personal data of staff, customers or third parties;
  • limit staff monitoring in the workplace to a reasonable level; 
  • correctly store, amend and delete employee records and data;
  • avoid non-disclosure of personal information outside your business without the consent of that person (except for legal reasons); and
  • report serious personal data breaches to the ICO within 72 hours.

When your company acts in a way that fails to meet any of the above requirements, it risks triggering an ICO investigation which could ultimately lead to a fine.

ICO Investigations

The ICO may start an investigation to audit your company. But, more commonly, it will begin an investigation following an individual lodging an online complaint against your organisation.

The most common ICO complaints against companies include the following:

  • failure to correctly handle a Subject Access Request (otherwise known as a SAR) in breach of the GDPR;
  • unreasonable monitoring of employees at work;
  • using sensitive personal information without consent or lawful purpose; and
  • failing to report a serious personal data breach to the ICO within 72 hours.

When the ICO carry out an investigation, it will:

  • contact you to inform you of their concerns and any alleged breach of GDPR rules;
  • ask you questions to aid their investigation;
  • potentially ask for specific data from you; and 
  • conclude their investigation by deciding whether your business has breached data protection rules.

If they decide that your company has committed a data protection breach, they will determine whether to provide your business with a penalty notice.

Front page of publication
UK Startup Manual

LegalVision’s Startup Manual is essential reading material for any startup founder looking to launch and grow a successful startup.

Download Now
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Mitigating Circumstances

The ICO wants to help and encourage your company to process data safely, so do not wish to provide unnecessary fines when a lesser sanction could have the same effect. Therefore, the ICO may issue a direction to take remedial action for a minor breach rather than automatically awarding you a fine. For example, remedial action might include your business implementing company policies to avoid future data breaches.

The ICO will treat the following as mitigating circumstances:

  • your business making a genuine effort to follow data protection rules (including any appointment of a Data Protection Officer);
  • where your company has not committed a breach or received a fine before;
  • when you have provided staff training and have written policies to encourage good data handling by staff; and
  • whether the actual harm to individuals (known as data subjects) was minor.

Penalty Notice Cost

The largest fine the ICO can award you is £17.5m (or 4% of your annual global turnover). This maximum penalty is intentionally high to deter companies, like yours, from breaching data protection laws.

However, in reality, the ICO will grade different data protection breaches differently depending on their seriousness. So, for example, they will award a minor fine for unlawful disclosure of ten individuals’ home addresses outside the company than a leaked document on the internet containing the full names, home addresses, dates of birth and medical information of 1,000 employees. This is because the breach is much more severe due to the inclusion of such sensitive information, increasing the risk to those individuals of identity theft.

During 2020 – 2021, the ICO issued £42m in fines against companies. These fines may increase; therefore, your company must comply with the relevant data protection requirements.

Guarding Against ICO Fines

You must have complete knowledge of the data protection requirements that apply to your company to guard against receiving an ICO fine. Thankfully, the ICO website contains several handy, easy-to-read guides on handling Subject Access Requests to when to report a personal data breach to the ICO.

Key Takeaways

Your business must comply with data protection laws such as the GDPR. You must ensure that you handle and store data correctly. Otherwise, you will likely face an investigation by the ICO. This could result in a fine, though you may receive a less severe sanction if you can demonstrate you made genuine efforts to comply with your data obligations.

If you need help with data protection rules and ICO investigations into an alleged breach of the GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Will the ICO consider genuine attempts to follow their guidance when deciding on sanctions for a data breach?

Yes, the ICO will contain relevant mitigating circumstances, including a genuine intent to follow data protection rules.

When is my company ‘processing’ data?

The ICO considers your business to ‘process’ data when it stores, records, discloses, retrieves, alters or deletes the information. Given how broad this definition is, it is easy to see how easily the ICO can become involved in any alleged breach of data protection law.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards