ICO reveals how it will enforce data protection legislation

Courtroom Gavel

The ICO has published guidance revealing how it will enforce data protection legislation.

The guidance, which explains the ICO’s powers, when it will use them and how it calculates fines, contains a “nine-step mechanism” for calculating fines, which is:

  1. Assessment of seriousness
  2. Assessment of degree of culpability
  3. Determination of turnover
  4. Calculation of an appropriate starting point
  5. Consideration of relevant aggravating and mitigating features
  6. Consideration of financial means
  7. Assessment of financial means
  8. Assessment of economic impact
  9. Assessment of effectiveness, proportionality, dissuasiveness
  10. Early payment reduction


The ICO has created a matrix to calculate the appropriate starting point for fines, in addition to which there will still be case-specific assessment of aggravating and mitigating factors to apply after that.

In addition, the ICO has included in this guidance how, when calculating a fine, it must consider the desirability of promoting economic growth. This may be a nod to the damage caused to the economy by COVID-19.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Further reading:

Marketing email error leads to fine from the ICO

Contact tracing guidance for collecting personal data

ICO reveals how it will enforce data protection legislation

ICO updates its regulatory approach in response to coronavirus

ICO and UK gov face off in race to revise UK cookie law

Direct Marketing Code of Practice – make sure you’re ready.