GovernStack
🛡️Cybersecurity

GDPR Fine Exposure Estimator — ICO Enforcement Calculator

The ICO has issued some of the largest data protection fines in the world — British Airways was fined £20 million for a breach exposing 400,000 customers, Marriott International received £18.4 million after a breach affecting 339 million guest records, and TikTok was fined £12.7 million for unlawfully processing children's data. Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover — whichever is higher. This GDPR fine estimator models your maximum exposure based on the type of violation, your global annual turnover, and the mitigating or aggravating factors the ICO considers when setting the final amount. It is an educational tool — not legal advice — but it provides a realistic sense of the financial risk organisations face when data protection obligations are not met.

Breach of core principles (lawfulness, purpose limitation), data subject rights violations

Enter in millions. e.g. 50 = £50M. Leave blank to use fixed maximum only.

Display currency
Fetching live rates…
✓ Mitigating Factors
✗ Aggravating Factors
Fine Exposure Estimate
Fixed Max
£17.50M
Turnover Max
Legal Maximum
£17.50M
Likely Fine
£4.38M
Estimated fine range
Low
£1.75M
High
£7.88M

UK GDPR / DPA 2018. GBP fine limits converted at live rates for reference only — ICO fines are issued in GBP. Educational estimate only.

Frequently Asked Questions

What are the two tiers of GDPR fines in the UK?

Under UK GDPR, there are two tiers. The lower tier covers less serious violations (such as not maintaining records or not notifying the ICO of a breach) — up to £8.7 million or 2% of global annual turnover. The upper tier covers more serious violations (such as breaching core principles, data subject rights, or international transfers) — up to £17.5 million or 4% of global annual turnover.

How does the ICO decide how large a fine to issue?

The ICO considers multiple factors including the nature, gravity, and duration of the infringement; whether the violation was intentional or negligent; any action taken to mitigate damage; the degree of responsibility; categories of personal data affected; how the ICO found out; previous infringements; and whether the organisation cooperated with the investigation.

Is "% of global turnover" always higher than the fixed maximum?

Not always. For small and medium businesses, the fixed maximum (£8.7M or £17.5M) will likely exceed their turnover-based calculation. For large multinationals, the turnover-based figure can dwarf the fixed maximum — which is precisely why it was designed this way.

Can I be fined for a breach I did not know about?

Yes. GDPR imposes obligations around breach detection, containment, and reporting. If you experienced a breach but lacked the security controls to detect it promptly, that itself may constitute a violation of Article 32 (appropriate technical and organisational measures), potentially attracting a fine independent of the breach itself.

Does having ISO 27001 certification reduce GDPR fine risk?

Certification alone does not guarantee reduced fines, but demonstrating a mature information security management system is one of the mitigating factors the ICO considers. It provides evidence that you took data protection obligations seriously — which can influence both the decision to fine and the final amount.

What are some notable ICO fines under UK GDPR?

Major ICO enforcement actions include: British Airways (£20 million) for a 2018 breach exposing payment card data of approximately 400,000 customers; Marriott International (£18.4 million) for a breach affecting up to 339 million guest records; TikTok (£12.7 million) for unlawfully processing the personal data of children under 13; and Interserve Group (£4.4 million) for failing to keep employee data secure. These cases illustrate that the ICO actively pursues large fines where organisations fail to meet their data protection obligations.

Related Tools