Big fines for big undertakings? Recent ICO guidance to be digested (without giving you indigestion!)

New data protection fining guidance (the Guidance) covering the circumstances in which the Information Commissioner would consider exercising their discretion to issue a penalty notice was published by the Information Commissioner’s Office in March 2024. The Guidance restates many aspects of the Commissioner’s pre-existing fining methodology, while expanding upon some important and previously unexplored issues with the potential to affect a wide range of public and independent healthcare organisations.

Fines may be in prospect when a data controller or data processor fails to comply with (amongst other things) the Data Processing Principles, rights of data subjects, and the requirement to communicate a personal data breach to the Commissioner. The maximum limit for a fine under the UK GDPR depends upon whether the controller or processor is an ‘undertaking’ – a term with which previous guidance did not engage.  The Guidance explains that the term has its origin in competition law, and refers to any entity engaged in economic activity, regardless of its legal status or the way in which it is financed. Public authorities, state-controlled enterprises and charities can all fall within the definition if they are carrying on an economic activity.

Importantly, an undertaking consists of multiple legal or natural persons forming a ‘single economic unit’.  There is no requirement for the undertaking to be a single entity with legal personality.  The Guidance states that “whether or not an individual controller or processor forms part of a wider undertaking depends on whether it can act autonomously or whether another legal or natural person, for example a parent company, exercises decisive influence over it”. If the latter applies, the Commissioner may seek to understand the economic, organisational, and legal links which tie the relevant subsidiary to the parent company, and where these are ‘decisive’, may take the view that an undertaking exists – thus increasing the potential fine.

In the health and care sector, the multitude of projects, collaborations, and other joint ventures may provide fertile conditions for a finding that an undertaking exists, particularly where multiple legal persons are working together without a clear understanding of data protection roles, responsibilities, and lines of demarcation between them.  The need for projects and relationships involving the sharing or transfer of data to be properly documented, and to incorporate data protection by design, is clear.

Independent healthcare providers facing a potential fine may find the issue to be a pressing one.  While the standard maximum amount for a fine is £8.7 million, for an undertaking it is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.  Similarly, the higher maximum amount is £17.5 million, but for an undertaking it is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.