🚀 Launch offer: Sign up free and get 60 days full Pro access — no credit card needed. Claim it →
The Information Commissioner's Office has fined organisations hundreds of millions of pounds since UK GDPR took effect. Across the EU, GDPR enforcement has been even more sweeping: 3,202 enforcement cases and over €6.31 billion in total fines across 32 countries since 2018. The single largest fine: €1.2 billion against Meta Platforms Ireland. While headlines focus on household names, regulators in both the UK and EU regularly investigate and fine small and medium businesses. Understanding what triggers an investigation — and how fines are calculated — is essential for any business handling personal data.
The ICO can fine organisations up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious violations. For less serious breaches, fines can reach £8.7 million or 2% of turnover. EU DPAs can fine up to €20 million or 4% of global annual turnover.
UK GDPR establishes two tiers of financial penalties, mirroring the EU GDPR structure:
Failure to implement appropriate technical security measures, resulting in a breach affecting 400,000 customers. Payment data was scraped by attackers over several months. · 2020
Inadequate security measures following acquisition of Starwood Hotels, where attackers had been in the system for four years before discovery. · 2020
ICO fined Clearview for scraping biometric data of UK residents without lawful basis. The fine was initially overturned by the First-tier Tribunal in 2023, but the Upper Tribunal upheld the ICO's appeal in October 2025. Case ongoing. · 2022–2025
Processing personal data of children under 13 without parental consent, failing to use children's data transparently. · 2023
Ransomware attack that disrupted NHS services. Insufficient security controls including MFA not applied consistently. · 2024
These are the ten largest GDPR fines ever issued globally (source: GDPR Enforcement Tracker, enforcementtracker.com). They illustrate both the scale of potential penalties and the violation types that attract the biggest sanctions:
Unlawful transfer of EU personal data to the US without adequate safeguards (Art. 46). The largest GDPR fine ever issued — found by Ireland's DPC on foot of an EDPB binding decision. · 2023
Unlawful transfer of EEA user data to China without adequate protection; insufficient transparency about data flows to Chinese employees. · 2025
Processing children's personal data unlawfully under its business accounts feature. Default settings exposed children's accounts publicly. · 2023
Relying on contractual necessity rather than consent to serve behavioural advertising — unlawful processing basis for targeted ads. · 2023
Unlawful processing of personal data for behavioural analysis and targeted advertising without valid consent or legitimate interest. · 2023
Transferred EU driver data to the US for over two years without adequate transfer safeguards following the Schrems II ruling. · 2023
A clear pattern: the largest fines cluster around three violations — (1) unlawful international data transfers, (2) using behavioural advertising without a valid lawful basis, and (3) failing to protect children's data. These same Article 5, 6, and 44–46 violations appear across EU enforcement at all scales.
The ICO publishes its enforcement priorities and case outcomes. The most common triggers for investigation include:
Any personal data breach that is likely to result in a risk to individuals must be reported to the ICO within 72 hours of you becoming aware of it (Article 33). Breaches that pose a high risk to individuals must also be communicated directly to those affected (Article 34). Late reporting significantly increases the severity of any sanction.
Sending unsolicited marketing emails or texts is one of the most common complaints the ICO receives. Under PECR, you must have specific prior consent for electronic marketing. The ICO regularly fines companies for buying email lists, continuing to market to people who have unsubscribed, and sending marketing without a lawful basis.
The ICO's ongoing cookie sweep programme actively checks UK websites. Setting analytics or advertising cookies before obtaining consent is a routine enforcement action. Unlike major breaches, cookie violations are often resolved through formal notices and fines without requiring a data breach.
Failing to respond to a Subject Access Request within one month, refusing a legitimate erasure request, or failing to provide data in a portable format are all enforceable violations. Many ICO complaints come directly from individuals whose requests were ignored.
The ICO considers multiple factors when setting a fine. These include:
Small businesses can expect lower fines than large corporations for the same violation — the ICO explicitly considers proportionality and ability to pay. However, "we are a small business" is not a defence against enforcement.
Most organisations that process personal data must pay a data protection fee to the ICO annually. Failure to do so is itself an offence. The fee ranges from £40 (micro-organisations) to £2,900 (large organisations). Check ico.org.uk/registration to see if your organisation is exempt.
Find out if your business is at risk
AlgoGrass identifies the exact GDPR issues that lead to ICO enforcement and shows you how to fix them.
Check my compliance risk →