UK GDPR: Enforcement & Penalties
Enforcement & Penalties [Art 83]
Regulator: Information Commissioner’s Office (ICO)
Powers:
- Issue warnings and reprimands
- Order compliance
- Impose temporary or permanent processing bans
- Order rectification, restriction, or erasure
- Suspend international data transfers
Penalties:
- Standard maximum: £8.7M or 2% global turnover (whichever higher)
- Higher maximum: £17.5M or 4% global turnover (whichever higher)
- Higher tier for violations of: principles, lawful basis, consent, data subject rights, international transfers
Notable enforcement: ICO has issued fines of £20M+ for serious violations (British Airways, Marriott).
Source Text (Article 83)
Infringements of the following provisions shall… be subject to administrative fines up to £8,700,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Infringements of the following provisions shall… be subject to administrative fines up to £17,500,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; (b) the data subjects’ rights pursuant to Articles 12 to 22; (c) the transfers of personal data…
- Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount… due regard shall be given [to factors including] the nature, gravity and duration of the infringement…