The ICO exists to empower you through information.

  1. As explained in Effectiveness, proportionality and dissuasiveness above, the Commissioner is required to ensure that any fine imposed for an infringement of UK GDPR or DPA 2018 is, in each case, effective, proportionate and dissuasive.
  2. At Step 5, the Commissioner will therefore consider the circumstances of the case in the round to assess whether the fine reached at the end of Step 4 is appropriate. The Commissioner will adjust the amount of the fine at Step 5, if necessary, to ensure that:
    • the overall fine is effective, proportionate and dissuasive; and
    • it does not exceed the relevant statutory maximum amount.
  1. Where the Commissioner has found that a controller or processor has infringed more than one provision of the UK GDPR or DPA 2018 in relation to the same or linked processing operations (see The Commissioner’s approach to fines where there is more than one infringement by a controller or processor above), the Commissioner will assess the effectiveness, proportionality and dissuasiveness of:
    • the fine amount for each infringement calculated at the end of Step 4; and
    • the combined amount of the overall fine (ie the sum of the fine amounts imposed for each infringement).
  1. Where the Commissioner considers that an adjustment is needed at Step 5 to ensure the fine is sufficiently dissuasive, the Commissioner may adjust the overall fine (rather than the amounts for each infringement).
  2. By contrast, where the Commissioner has found that different forms of conduct by a controller or processor have infringed separate provisions of the UK GDPR or DPA 2018, the Commissioner will assess the effectiveness, proportionality and dissuasiveness of each fine separately.

Whether the fine amount is effective, proportionate and dissuasive

  1. In carrying out the assessment, the Commissioner will be mindful that the aim of Steps 1 to 4 of the calculation is to identify a fine amount that is effective, proportionate and dissuasive. The purpose of Step 5 is to provide the opportunity for the Commissioner check that is the case. It allows the Commissioner to increase or decrease the penalty as necessary, having regard to all the relevant circumstances of each individual case.
  2. There is a degree of overlap between the concepts of effectiveness, proportionality and dissuasiveness. The Commissioner’s decision on an appropriate fine amount is not a mechanistic assessment, but one of evaluation and judgement.
  3. The Commissioner will first consider whether the fine amount at the end of Step 4 is effective in ensuring compliance with data protection legislation or providing an appropriate sanction for each infringement.
  4. The Commissioner will then consider whether the fine amount is dissuasive, taking into account both ‘specific deterrence’ and ‘general deterrence’ (see Effectiveness, proportionality and dissuasiveness above):
    • For specific deterrence, the Commissioner may increase the overall fine reached after Step 4 to ensure that the amount is sufficient to deter the controller or processor from infringing data protection law in the future, taking into account its size and financial position, as well as any other relevant circumstances of the case. The Commissioner may impose a higher fine on a larger organisation than a smaller organisation for a similar infringement to achieve the necessary deterrent effect.
    • For general deterrence, the Commissioner may increase the overall fine reached after Step 4 to deter others from committing the same infringement in the future.
  1. Finally, the Commissioner will consider whether the fine is proportionate. This assessment involves the exercise of the Commissioner’s judgement and discretion, taking into account the nature and specific context of the infringement.
  2. In reaching a decision on whether a fine is effective, proportionate and dissuasive, the Commissioner will have regard to all relevant circumstances of each individual case. This includes:
    • the seriousness of the infringement;
    • any aggravating or mitigating factors;
    • the controller or processor’s size and financial position; and
    • the need for effective deterrence. 98
  1. A controller or processor responsible for a serious infringement of UK GDPR or DPA 2018 should not avoid a fine solely on the basis of its financial position. This would undermine a key purpose of the legislation. 99 However, the Commissioner will consider an organisation or individual’s financial hardship and ability to pay following the determination of an appropriate fine (see Financial hardship below).
  2. This guidance ensures that the Commissioner adopts a consistent approach to calculating fines. It also provides flexibility to set the appropriate fine amount based on the specific facts and circumstances of each infringement. In assessing whether the fine is proportionate, the Commissioner will have regard to the level of fines set in previous cases, where relevant. However, the Commissioner is not bound by previous decisions. The Commissioner may, taking into account the individual circumstances of each case, impose higher fines in future cases than in previous ones, for example to ensure effective deterrence.

Adjustment to ensure that the statutory maximum amount is not exceeded

  1. The final amount of the fine must not exceed the relevant statutory maximum amount. Therefore, the Commissioner will, as a final check, ensure that the fine does not do so and will decrease it if necessary.

 


98 The Commissioner will generally take into account an undertaking’s total worldwide annual turnover as the primary indicator of its size and financial position. However, the Commissioner will also consider other financial indicators where relevant, such as profits, net assets or dividends.

99 See Doorstep Dispensaree Limited v Information Commissioner, [2021] UKFTT (Information Rights), EA/2020/0065/V, 9 August 2021, paragraph 93. Upheld on appeal: see Doorstep Dispensaree Limited v Information Commissioner, [2023] UKUT 132 (AAC).