![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Since April 2010, the Information Commissioner's Office (ICO) has had the power to impose fines of up to £500,000 for serious breaches of the DPA.
To date, the ICO has issued 14 fines, but information obtained by
under a freedom of information request indicates that the final penalty is often substantially reduced. In one case, a £200,000 penalty imposed on a lawyer, Andrew Crossley, was reduced to just £1,000 after Crossley filed for bankruptcy. A further four cases revealed an average reduction of around 20 percent in the value of the fine the ICO had originally considered.
When considering what fine to impose, the ICO considers the severity of the breach and any representations made by the data controller—with the data controller's ability to pay being one of the factors the ICO will consider. Data controllers are therefore well-advised to consider what representations they can make to the ICO to minimise the value of any potential fine they face.
