🚀 Launch offer: Sign up free and get 60 days full Pro access — no credit card needed. Claim it →

← Back to blog
Compliance5 Jun 2026 · 10 min read

ICO Enforcement in 2025–26: Key Lessons for UK SMEs

The Information Commissioner's Office (ICO) continues to fine businesses of all sizes — and size is no defence. Meanwhile, across the EU, regulators have issued over €6.31 billion in GDPR fines across 3,202 cases since enforcement began in 2018. The most common failures are consistent: no lawful basis for processing, weak security measures, and inadequate transparency. Here's what UK businesses can learn from both ICO enforcement and the EU-wide picture.

3,202
Total EU+UK enforcement cases (2018–2026)
€6.31B
Total fines issued across 32 countries
€1.2B
Largest single fine (Meta, Ireland, 2023)
Art. 5 & 6
Most-cited GDPR articles in enforcement

The ICO has explicitly stated that size is not a defence. Sole traders and micro-businesses have received enforcement notices and fines. If you collect personal data, GDPR obligations apply to you regardless of company size.

1Notable ICO enforcement actions 2024–26

These cases illustrate the patterns in ICO enforcement and the specific failures that trigger action:

Software company (name withheld)£350,000

Sent 107 million unsolicited marketing emails. The company had no valid consent from recipients and failed to provide an easy opt-out mechanism. Fine issued under PECR (Privacy and Electronic Communications Regulations).

NHS Trust£200,000

Emailed sensitive personal data (patient medical information) to wrong recipients on multiple occasions. ICO cited failure to implement adequate technical measures — a basic access control issue.

Law firm (SME)£60,000

Cyber attack resulted in client data exposure. ICO investigation found the firm had not implemented multi-factor authentication, used outdated software, and had no documented incident response plan.

Marketing company£140,000

Purchased marketing lists without verifying that individuals had given valid consent. Relied on consent claimed by the list vendor without independently checking consent records.

The SME law firm case is particularly instructive: the fine was not for the attack itself, but for failing to have reasonable security measures in place. The ICO's test is whether you took appropriate steps for the risk — not whether a breach happened.

2What the ICO is actively targeting

Based on ICO enforcement notices, reprimands, and public guidance issued in 2024–25, these are the areas under active scrutiny:

  • Cookie consent: banners that pre-tick analytics and marketing cookies, hide reject options, or use dark patterns to nudge acceptance. The ICO sent formal notices to several major news publishers in 2024.
  • Marketing emails without valid consent: purchasing lists, using "soft opt-in" without understanding the rules, sending to contacts who haven't consented to email marketing.
  • Inadequate security: no MFA on admin accounts, unpatched software, no data encryption at rest, no security incident response plan.
  • Failure to respond to DSARs (Subject Access Requests): missing the one-month deadline, providing incomplete responses, or charging fees where none are permitted.
  • Unlawful retention: keeping customer data indefinitely with no deletion schedule or documented retention policy.
  • Privacy notices: missing or inadequate notices that don't reflect actual data processing, or using generic templates without customisation.

3The EU enforcement picture: what 9 years of data tells us

The GDPR Enforcement Tracker (enforcementtracker.com) compiles all publicly disclosed GDPR enforcement actions across 32 European countries. The data since 2018 reveals consistent patterns that apply equally to UK businesses operating under UK GDPR:

  • Top violation #1 — Insufficient legal basis for data processing (Art. 6): ~950 cases. Processing personal data without a valid lawful basis is the single most-enforced violation. This means businesses processing data without consent, legitimate interest, or another Art. 6 ground documented in writing.
  • Top violation #2 — Non-compliance with data processing principles (Art. 5): ~800 cases. Article 5 covers the core GDPR principles — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity. Regulators cite Art. 5 in nearly every serious enforcement action.
  • Top violation #3 — Insufficient technical & organisational measures (Art. 32): ~600 cases. Security failures — no encryption, no MFA, unpatched systems, inadequate access controls. Art. 32 is the most common route for fines following a data breach.
  • Top violation #4 — Transparency failures (Art. 13/14): ~540 cases. Failing to provide adequate privacy information at the point of data collection. Inadequate or missing privacy notices are among the easiest compliance gaps for regulators to identify.
  • Most fined sector: Industry & Commerce (~615 cases), followed by Media/Telecoms (~375), Public Sector (~370), Finance/Insurance (~335), and Healthcare (~285). No sector is exempt.
  • Most active DPA: Spain (1,078 cases tracked), followed by Italy, Romania, and Germany. The ICO is comparatively less active by case count but issues some of the largest individual fines.

The largest single GDPR fine ever issued was €1.2 billion against Meta Platforms Ireland (May 2023) for unlawful data transfers to the US without adequate safeguards. The next largest: TikTok €530 million (2025), Meta €405 million (2023), LinkedIn €310 million (2023), and Uber €290 million (2023). All relate to either data transfers, children's data, or insufficient lawful basis.

4The ICO's approach to SMEs

The ICO has published guidance on its approach to smaller organisations. In practice, the Commissioner uses a range of tools beyond fines — reprimands, enforcement notices, and published case summaries — that damage reputation even without a financial penalty.

The ICO typically investigates following a complaint from a data subject, a mandatory breach notification, or proactive sweeps (such as cookie compliance audits across specific sectors). You do not need to be the subject of a large breach for an investigation to begin — a single complaint about an unlawful marketing email is sufficient to trigger a case.

The ICO publishes all enforcement actions on its website, including the name of the organisation and the specific breach. Reputational damage from being named in an ICO enforcement notice often exceeds the financial cost for smaller businesses. Customers, partners, and investors check the register.

4The five most common SME compliance failures

  • 1. Cookie banners that don't actually block cookies before consent — analytics scripts load before the user clicks anything. Technically illegal, common, and increasingly enforced.
  • 2. Privacy policies copied from templates that don't reflect actual data processing. Your policy must accurately describe your specific tools, purposes, and lawful bases.
  • 3. No Data Processing Agreements with processors — if you use Mailchimp, HubSpot, Xero, or any SaaS tool, you need a DPA. Most providers offer one but you must accept it.
  • 4. DSAR requests ignored or delayed past 30 days. Any individual can ask for all data you hold on them — you must respond within one calendar month.
  • 5. No documented retention and deletion schedule. "We keep it forever" is not a lawful retention period. You need a documented schedule and you need to follow it.

6How to reduce your ICO risk

  • Scan your website: use a real scanning tool that checks what scripts load before cookie consent is given. Browser developer tools alone won't catch everything.
  • Review your cookie banner: ensure the reject option is as prominent as accept, and nothing loads before consent is given.
  • Check your privacy policy covers your actual tools and processing — not just generic categories.
  • Audit your processor list: every SaaS tool that touches personal data needs a DPA. Go through your subscriptions and check.
  • Set up a DSAR process: know where data is held, designate someone to handle requests, set a calendar reminder to respond within 30 days.
  • Implement basic security hygiene: MFA on all admin accounts, password manager, encrypted backups, basic incident response plan.
  • Document everything: the ICO responds well to evidence of good faith efforts to comply. A documented compliance programme, even if imperfect, demonstrates accountability.

AlgoGrass performs a live scan of your website to identify the compliance gaps most likely to attract ICO attention — cookie consent failures, missing privacy notices, data form issues, and HTTPS problems. Run a free scan →

7If you receive an ICO complaint or investigation

If the ICO contacts you, respond promptly and cooperatively. The ICO's enforcement guidance emphasises that voluntary cooperation and swift remediation are mitigating factors in penalty decisions. A fine that might be £200,000 in an egregious case may be reduced significantly where the organisation demonstrates genuine efforts to comply and remediate.

  • Don't ignore communications — the ICO treats non-cooperation seriously
  • Gather your documentation: processing records, consent evidence, security policies, DSAR response records
  • Consider seeking legal advice from a data protection solicitor
  • Remediate the issue quickly and document what you've done
  • Be honest: if something went wrong, acknowledge it and explain what you've changed

Find your compliance gaps before the ICO does

AlgoGrass scans your live website for the exact issues the ICO investigates — cookie consent failures, missing privacy notices, insecure forms, and missing documents. Fix them before they become enforcement actions.

Scan my website free →