Skip to content
LegalVision UK

What Powers Does the ICO Have to Fine My Company Millions of Pounds in England?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

As a business owner, your primary concern is your company’s bottom line. Whilst some years your business will make more profit than others, it is vital that your business produces good profit margins and tries to keep some cash in the bank. A significant threat to your organisation’s well-earned monies is the Information Commissioner’s Office (ICO) and its ability to fine your company up to £17.5 million for non-compliance with data protection rules. This article will explore the power of the ICO to award hefty financial penalties to businesses in England and ways for your company to reduce the risk of suffering an ICO fine.

Who Are the ICO?

The ICO are an independent body established by the Government to explain and enforce data protection law. In particular, the ICO are on the lookout for breaches of the General Data Protection Regulation (GDPR) and regularly hands out fines to businesses in breach.

If the ICO believes your organisation has infringed GDPR rules, it will conduct a formal investigation. This will likely involve the ICO approaching you and asking you about the period in question. At the end of the process, they are likely to conclude in one of the following ways:

  • decide that your business is not in breach;
  • conclude that your business has violated the GDPR, but a non-financial warning will suffice; or
  • conclude that your business has committed a material breach of GDPR and issue your company a financial penalty of up to £17.5 million.

This article will explore the ICO’s ability to enforce fines against companies in England.

Which Types of Data Protection Breaches Tend to Result in ICO Fines?

Whilst any breach of GDPR rules can lead to an ICO investigation and enforcement action, the following examples are relatively common:

  • failure to correctly deal with subject access requests (SARs);
  • unsafe storage of staff information;
  • disclosure of sensitive personal information outside your company absent lawful reason;
  • any failure to report a serious data breach to the ICO within 72 hours;
  • unreasonable monitoring or unjustified covert recording of individuals in the workplace; and
  • failure to delete personal data once it is of no further use.

Absent any mitigating circumstances, the ICO may decide to impose a daunting fine on your company.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

ICO Fines

Whilst the ICO can technically award fines up to £17.5 million, it rarely issues penalties above £1 million. Some examples of high ICO fines include:

  • £20 million to British Airways when their poor cybersecurity measures allowed cyberattackers to steal the personal and financial details of more than 400,000 customers;
  • £18.4 million to Marriott Hotels for taking four years to realise that a cyber attack exposed the personal records (including names, email addresses and passport numbers) of over 300 million guests worldwide; and 
  • £1.25 million to Ticketmaster for failing to ensure adequate security on its online payment page, resulting in cybercriminals obtaining the financial details of 1.5 million customers.

Absent severe breaches, the ICO tends to award financial penalties in the thousands or tens of thousands. However, the fine level depends on the severity of the harm caused to individuals.  For example, a company that inadvertently leaks the personal data of 400 people is likely to receive a hefty fine. In contrast, a small business accidentally leaking information relating to eight individuals will receive a smaller penalty.

What Mitigating Circumstances Will the ICO Consider?

The ICO will consider any mitigating circumstances before deciding on a fine level. Whilst they are the UK’s independent authority on good practice as to data privacy, they are willing to take circumstances into account.

For example, the ICO can take into account any of the following factors:

  • whether your company has a clean record or has received any ICO fines before;
  • your organisation having good data protection policies and procedures in place;
  • speedy, prompt and accurate communication between your business and the ICO during the investigation; and
  • any evidence of a firm intention to follow GDPR rules before the alleged breach (including any appointment of a data protection officer).

Whilst these factors may be insufficient to avoid financial penalties, they could at least help justify a lower fine from the ICO.

Key Takeaways

It is worth being aware that the ICO has a bite to match its bark. During 2020 and 2021, the ICO handed out financial penalties totalling over £40 million. This figure is projected to rise in the upcoming years. Fortunately, the ICO website itself provides helpful guidance on how to comply with the GDPR fully. By following these rules, your business can avoid fines.

If you need help complying with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

How can my company avoid a fine from the ICO?

There are various ways to get in the ICO’s good books and make an excellent first impression. One example includes polite and prompt contact with them during an investigation.

Why does the ICO have the power to impose such significant fines?

Because it acknowledges that this is the best way to motivate businesses in England to comply with the GDPR. The ICO views it as the public interest for companies and public bodies to comply with data protection rules, hence their intention to provide hefty fines as a deterrent. 

Register for our free webinars

A Roadmap to Business Success: How to Franchise in the UK

Online
Learn the formula for successfully franchising your UK business. Register for our free webinar today.
Register Now

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five GDPR-Related Cybersecurity Mistakes Business Owners Make in the UK

Four Ways a Lawyer Can Help Your Business in England Comply With the GDPR 

How Should My Business in England Handle Requests for Data Erasure Under the GDPR? 

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times