The ICO exists to empower you through information.

  1. Section 155 DPA 2018 sets out the Commissioner’s power to issue penalty notices.
  2. As explained in more detail below, the Commissioner may impose a fine where a person has failed:
    • or is failing, to comply with certain provisions of the UK GDPR or DPA 20183; or
    • to comply with an information notice, assessment notice or enforcement notice given under Part 6 DPA 2018.4
  3. The Commissioner can only exercise the powers to impose fines under Article 58(2)(i) and Article 83 UK GDPR by giving a penalty notice in accordance with section 155 DPA 2018.5
  4. Section 160(1)(d) DPA 2018 requires the Commissioner to produce and publish guidance about how the Commissioner proposes to exercise functions in connection with penalty notices. The Commissioner’s guidance must explain:
    • the circumstances in which the Commissioner would consider it appropriate to issue a penalty notice; and
    • how the Commissioner will determine the amount of the fine.6
  5. Before finalising this guidance, the Commissioner consulted the Secretary of State and conducted a public consultation.7 The Commissioner has also arranged to lay the finalised guidance before Parliament.8
  6. This fining guidance applies from the date of publication to new cases relating to infringements of the UK GDPR or DPA 2018. It also applies to ongoing cases in which the Commissioner has not yet issued a notice of intent to impose a fine.9


3 Section 155(1)(a) DPA 2018.

4 Section 155(1)(b) DPA 2018.

5 As specified by s115(9) DPA 2018

6 Section 160(7)(a) and (c) DPA 2018. Section 160(7) also requires the Commissioner to produce and publish statutory guidance about (i) the circumstances in which the Commissioner would consider it appropriate to allow a person to make oral representations about the Commissioner’s intention to give the person a penalty notice (section 160(7)(b)) and (ii) how the Commissioner will determine how to proceed if a person does not comply with a penalty notice (section 160(7)(d)). This guidance is currently set out in the Regulatory Action Policy.

7 As required by section 160(9) DPA 2018.

8 As required by section 160(11) DPA 2018.

9 Schedule 16, paragraph 2(1) DPA 2018.