ICO notifies multi-million pound fines for data breaches under the GDPR

The UK's data privacy regulator, the ICO, has started issuing notices of intention to fine data controllers under GDPR for data breaches, with two significant fines announced in the last week.

The maximum fine the ICO can impose for a breach of data protection laws increased under GDPR from £500k under the Data Protection Act 1998 to €20m or 4% of global annual turnover, whichever is greater. GDPR also introduced stronger data breach reporting and notification requirements.

The ICO has now issued two notices of intention to fine in respect of some high profile data breaches which were notified after GDPR came into effect. The data controllers receiving these notices have been given time to make representations to the Commissioner, who will consider these before making a final decision.

For more on the actions of the ICO, head over to our sister blog technology law update.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.