Fletchers Data Claims

How much is a data breach fine?

September 20, 2021
What is the cost of a data breach fine?

After a data breach takes place, you might wonder how the Information Commissioners Office (ICO) determine how much to fine those at fault? This post will explore what the ICO considers when deciding on the cost of a data breach fine, and how you can receive data breach compensation for any damages or distress

How does the ICO decide on a data breach fine?

When considering a financial penalty, the ICO considers factors set out in the General Data Protection Regulation (GPDR) and the Regulatory Action Policy.

These are two important data breach reports.

Under GDPR an individual can be responsible for a data breach and ‘Article 83’ of the GDPR code establishes the factors that need to be taken into consideration. These include:

  • The nature, gravity, and duration of the infringement
  • The number of data subjects affected
  • The level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any relevant previous infringements
  • The degree of cooperation with the supervisory authority
  • The categories of personal data affected by the infringement
  • The way the infringement became known; and
  • Any other aggravating or mitigating factors applicable to the case

How many steps are there to determining a data breach fine? 

The ICO follows a five-step approach when determining the end value of any fine. This is set out in the Regulatory Action Policy’s steps and data breach meaning process:

  • 1: Removing any financial gain. This essentially means that any financial gains from a breach by the data controller will be taken away.
  • 2: Involves the censure based on scale and severity. This looks at the nature of the failure and whether the party at fault could have had more measures in place to avoid the breach.
  • 3: Considers aggravating factors, such as poor security. If these are present the ICO can increase any fine to reflect this.
  • 4: Involves the ICO being under the obligation to impose a penalty which is dissuasive. This is the deterrent effect.
  • 5: Considers any mitigating factors, including the data controller’s ability to pay and their financial hardship. This could be in the form of what the data controller has done after the breach to improve their systems. If present, the ICO can ultimately reduce the level of fine. An example being the case of British Airways whose fine was reduced by 20% after mitigating factors where present.

The ICO follows a five-step approach

How much can a data breach ICO fine come to?

When it comes to the data breach ICO team determining the cost of a fine, it could end up being be a costly mistake!

Failure to notify the ICO of a breach when required to do so can result in a heavy fine. According to the ICO’s penalty information online:

“If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”

In addition to this, an ICO fine for data breaches can be combined with the ICO’s other corrective powers under Article 58. Ultimately, the ICO can increase or decrease the fine depending on any of the factors mentioned above.

What is a data breach in relation to costs and fines?

When it comes to answering, ‘what is a data breach?’ or understanding the data breach meaning, particularly in relation to the ICO’s rulings and penalties, the fundamentals remain the same.

We know a data breach to be ‘an incident where data is either accidentally or intentionally exposed in a vulnerable system, usually due to poor security or vulnerabilities in the software.’  

There are more answers to frequently asked questions on breaches can also be found on our FAQs page.

Exposure of confidential data can land individuals and companies in hot water

Can I claim for data breach compensation?

If you believe that your data has been stolen in a data breach, our expert team are a click, or phone call away, from assessing your entitlement to data breach compensation.

Our data claims expertise is part of the growing legal services provided by Fletchers Solicitors, a ‘Top 100 UK Law Firm’ with over 30 years’ experience of fighting for consumer rights.

Once we have spoken to you, or read your account of what has happened in detail, a data claims legal expert will assess:

  • Your entitlement to claim for data compensation for any losses or damage
  • The level of distress that the incident has caused, also
Recent posts