GDPR (and its UK equivalent, UK GDPR) provides supervisory authorities with the power to impose significant administrative fines. The ICO (Information Commissioner's Office) in the UK can issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. This estimator helps you understand your maximum fine exposure for different categories of violation, and the factors that regulators consider when setting the actual amount.
Breach of core principles (lawfulness, purpose limitation), data subject rights violations
£
Enter in millions. e.g. 50 = £50M. Leave blank to use fixed maximum only.
Display currency
Fetching live rates…
Fine Exposure Estimate
Fixed Max
£17.50M
Turnover Max
—
Legal Maximum
£17.50M
Likely Fine
£4.38M
Estimated fine range
Low
£1.75M
High
£7.88M
UK GDPR / DPA 2018. GBP fine limits converted at live rates for reference only — ICO fines are issued in GBP. Educational estimate only.
Frequently Asked Questions
What are the two tiers of GDPR fines in the UK?
Under UK GDPR, there are two tiers. The lower tier covers less serious violations (such as not maintaining records or not notifying the ICO of a breach) — up to £8.7 million or 2% of global annual turnover. The upper tier covers more serious violations (such as breaching core principles, data subject rights, or international transfers) — up to £17.5 million or 4% of global annual turnover.
How does the ICO decide how large a fine to issue?
The ICO considers multiple factors including the nature, gravity, and duration of the infringement; whether the violation was intentional or negligent; any action taken to mitigate damage; the degree of responsibility; categories of personal data affected; how the ICO found out; previous infringements; and whether the organisation cooperated with the investigation.
Is "% of global turnover" always higher than the fixed maximum?
Not always. For small and medium businesses, the fixed maximum (£8.7M or £17.5M) will likely exceed their turnover-based calculation. For large multinationals, the turnover-based figure can dwarf the fixed maximum — which is precisely why it was designed this way.
Can I be fined for a breach I did not know about?
Yes. GDPR imposes obligations around breach detection, containment, and reporting. If you experienced a breach but lacked the security controls to detect it promptly, that itself may constitute a violation of Article 32 (appropriate technical and organisational measures), potentially attracting a fine independent of the breach itself.
Does having ISO 27001 certification reduce GDPR fine risk?
Certification alone does not guarantee reduced fines, but demonstrating a mature information security management system is one of the mitigating factors the ICO considers. It provides evidence that you took data protection obligations seriously — which can influence both the decision to fine and the final amount.
