Guidance

Data protection fining

Guidance explaining when penalty notices may be issued under UK GDPR, DPA 2018, and how fines are determined for non-compliance.

Documents

Data protection fining

Request an accessible format.
If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email alt.formats@dsit.gov.uk. Please tell us what format you need. It will help us if you say what assistive technology you use.

Details

The Information Commissioner enforces the UK GDPR and Data Protection Act 2018 (DPA 2018).

This document explains when penalty notices can be issued, such as for breaking data protection laws or failing to follow notices like enforcement or assessment notices. It also explains how fines are calculated.

Published under Section 160 of the DPA 2018, this guidance replaces the 2018 Regulatory Action Policy and provides clear rules for issuing penalties and setting fine amounts.

This document is also available on The Information Commissioner’s Office website.

Updates to this page

Published 18 March 2024

Sign up for emails or print this page