UK General Data Protection Regulation (UK GDPR)

GDPR penalties and fines

Guide

If you fail to comply with the UK General Data Protection Regulation (UK GDPR), you could face enforcement action by the Information Commissioner's Office (ICO).

The ICO can issue sanctions for a breach of the regulation, including:

  • warnings and reprimands
  • compliance orders
  • bans on processing or data transfers (permanent or temporary)
  • administrative fines

Some of these will apply to both data controllers and processors, and may significantly impact your business' day-to-day operations.

Fines for infringement of the UK GDPR

Failure to comply with the UK GDPR may leave you open to substantial fines. There are two tiers of fines:

  • a maximum fine of £17.5 million or 4 per cent of annual global turnover - whichever is greater - for infringement of any of the data protection principles or rights of individuals
  • a maximum fine of £8.7 million or 2 per cent of annual global turnover - whichever is higher - for infringement of other provisions, such as administrative requirements of the legislation

The fines are discretionary rather than mandatory. The ICO will impose them proportionately, on a case-by-case basis, and typically as a last resort.

How does the ICO determine the level of penalties?

The ICO will consider a number of factors when determining the level of penalties, including::

  • the nature, gravity, and duration of the infringement
  • the number of people affected and the extent of the damage to them
  • whether the breach was intentional or negligent
  • any previous history of noncompliance
  • any action taken to mitigate the damage
  • whether the controller notified the ICO of the infringement and co-operated

See more on reporting serious breaches of personal data.

A breach affecting individuals in EEA countries will engage the EU GDPR. For businesses that process personal data of EU citizens, failure to comply with the EU GDPR may result in penalties under the EU regulation. A maximum fine under the EU GDPR is €20 million or 4 per cent of the business's total annual worldwide turnover.

As part of your breach response plan, you should establish which European data protection agency is the lead supervisory authority for the processing activities that have been subject to the breach. For more information, see guidance on identifying your lead authority.

Impact of GDPR non-compliance

The impact of fines for a breach of data protection regulations can be devastating. However, there are other aspects to consider which can contribute to the financial loss you may suffer as a result of a data breach.

You may be subject to:

  • private claims for compensation for damages suffered - these can be instigated by individuals or consumer protection bodies on behalf of individuals.
  • reputational damage
  • loss of consumer trust

It is therefore imperative that you comply with the relevant data protection principles, rights of individuals and the appropriate technical and organisational measures to protect the personal data you hold and process.

This guide does not constitute legal advice and is provided for general information purposes only.