🚀 Launch offer: Sign up free and get 60 days full Pro access — no credit card needed. Claim it →

← Back to blog
Compliance12 Feb 2025 · 7 min read

Understanding ICO Fines: What Gets UK Businesses Fined?

The Information Commissioner's Office has fined organisations hundreds of millions of pounds since UK GDPR took effect. Across the EU, GDPR enforcement has been even more sweeping: 3,202 enforcement cases and over €6.31 billion in total fines across 32 countries since 2018. The single largest fine: €1.2 billion against Meta Platforms Ireland. While headlines focus on household names, regulators in both the UK and EU regularly investigate and fine small and medium businesses. Understanding what triggers an investigation — and how fines are calculated — is essential for any business handling personal data.

The ICO can fine organisations up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious violations. For less serious breaches, fines can reach £8.7 million or 2% of turnover. EU DPAs can fine up to €20 million or 4% of global annual turnover.

The Two Tiers of ICO Fines

UK GDPR establishes two tiers of financial penalties, mirroring the EU GDPR structure:

Tier 1 — Up to £8.7 million (or 2% of global turnover)

  • Failure to implement appropriate technical and organisational security measures
  • Not having a Data Processing Agreement with subprocessors
  • Failing to notify the ICO of a data breach within 72 hours
  • Not maintaining required records of processing activities
  • Processing children's data without age-appropriate safeguards

Tier 2 — Up to £17.5 million (or 4% of global turnover)

  • Processing data without a lawful basis
  • Violating the fundamental principles of GDPR (lawfulness, fairness, transparency)
  • Failing to respect data subject rights (ignoring access requests, refusing erasure)
  • Transferring data to a third country without adequate safeguards
  • Processing special category data without meeting the additional conditions

Real ICO Enforcement Cases: What Actually Gets Fined

British Airways£20 million

Failure to implement appropriate technical security measures, resulting in a breach affecting 400,000 customers. Payment data was scraped by attackers over several months. · 2020

Marriott International£18.4 million

Inadequate security measures following acquisition of Starwood Hotels, where attackers had been in the system for four years before discovery. · 2020

Clearview AI£7.5 million (disputed)

ICO fined Clearview for scraping biometric data of UK residents without lawful basis. The fine was initially overturned by the First-tier Tribunal in 2023, but the Upper Tribunal upheld the ICO's appeal in October 2025. Case ongoing. · 2022–2025

TikTok£12.7 million

Processing personal data of children under 13 without parental consent, failing to use children's data transparently. · 2023

Advanced Computer Software£3.07 million

Ransomware attack that disrupted NHS services. Insufficient security controls including MFA not applied consistently. · 2024

The EU's Largest GDPR Fines: Global Context

These are the ten largest GDPR fines ever issued globally (source: GDPR Enforcement Tracker, enforcementtracker.com). They illustrate both the scale of potential penalties and the violation types that attract the biggest sanctions:

Meta Platforms Ireland€1,200,000,000

Unlawful transfer of EU personal data to the US without adequate safeguards (Art. 46). The largest GDPR fine ever issued — found by Ireland's DPC on foot of an EDPB binding decision. · 2023

TikTok Technology Ltd (Ireland)€530,000,000

Unlawful transfer of EEA user data to China without adequate protection; insufficient transparency about data flows to Chinese employees. · 2025

Meta (Instagram — children's data)€405,000,000

Processing children's personal data unlawfully under its business accounts feature. Default settings exposed children's accounts publicly. · 2023

Meta Platforms Ireland (Facebook)€390,000,000

Relying on contractual necessity rather than consent to serve behavioural advertising — unlawful processing basis for targeted ads. · 2023

LinkedIn Ireland€310,000,000

Unlawful processing of personal data for behavioural analysis and targeted advertising without valid consent or legitimate interest. · 2023

Uber B.V. (Netherlands)€290,000,000

Transferred EU driver data to the US for over two years without adequate transfer safeguards following the Schrems II ruling. · 2023

A clear pattern: the largest fines cluster around three violations — (1) unlawful international data transfers, (2) using behavioural advertising without a valid lawful basis, and (3) failing to protect children's data. These same Article 5, 6, and 44–46 violations appear across EU enforcement at all scales.

What the ICO Investigates Most Often

The ICO publishes its enforcement priorities and case outcomes. The most common triggers for investigation include:

1. Data Breaches — the 72-Hour Rule

Any personal data breach that is likely to result in a risk to individuals must be reported to the ICO within 72 hours of you becoming aware of it (Article 33). Breaches that pose a high risk to individuals must also be communicated directly to those affected (Article 34). Late reporting significantly increases the severity of any sanction.

2. Marketing Violations

Sending unsolicited marketing emails or texts is one of the most common complaints the ICO receives. Under PECR, you must have specific prior consent for electronic marketing. The ICO regularly fines companies for buying email lists, continuing to market to people who have unsubscribed, and sending marketing without a lawful basis.

3. Cookie Consent Failures

The ICO's ongoing cookie sweep programme actively checks UK websites. Setting analytics or advertising cookies before obtaining consent is a routine enforcement action. Unlike major breaches, cookie violations are often resolved through formal notices and fines without requiring a data breach.

4. Ignoring Data Subject Requests

Failing to respond to a Subject Access Request within one month, refusing a legitimate erasure request, or failing to provide data in a portable format are all enforceable violations. Many ICO complaints come directly from individuals whose requests were ignored.

How the ICO Decides the Fine Amount

The ICO considers multiple factors when setting a fine. These include:

  • The nature, gravity, and duration of the infringement
  • Whether the breach was intentional or negligent
  • Actions taken to mitigate the damage
  • The degree of responsibility — were reasonable measures in place?
  • How cooperative the organisation was during the investigation
  • The categories of personal data affected (health, financial, children's data = higher)
  • The number of people affected
  • Whether the organisation had previous violations
  • The financial position of the organisation — ability to pay

Small businesses can expect lower fines than large corporations for the same violation — the ICO explicitly considers proportionality and ability to pay. However, "we are a small business" is not a defence against enforcement.

How to Reduce Your Risk of ICO Enforcement

  • Conduct a data audit — know exactly what personal data you hold, why, and for how long
  • Have a lawful basis for every processing activity — document it in writing
  • Implement appropriate security: encryption, access controls, MFA, regular backups
  • Have a documented breach response plan — know your 72-hour duty before a breach happens
  • Respond to data subject requests within one month — have a process in place
  • Only send marketing to people who have clearly opted in
  • Have Data Processing Agreements with every third-party processor
  • Train staff who handle personal data
  • Register with the ICO — most organisations must pay the data protection fee (£40-£2,900/year)

Must You Register with the ICO?

Most organisations that process personal data must pay a data protection fee to the ICO annually. Failure to do so is itself an offence. The fee ranges from £40 (micro-organisations) to £2,900 (large organisations). Check ico.org.uk/registration to see if your organisation is exempt.

Find out if your business is at risk

AlgoGrass identifies the exact GDPR issues that lead to ICO enforcement and shows you how to fix them.

Check my compliance risk →