UK GDPR Fines Under the ICO: What Penalties Look Like in 2026

When British Airways received a proposed fine of £183 million from the ICO in 2019, it felt like a turning point. The final amount, reduced to £20 million in 2020 after representations about the impact of Covid-19, was still the largest penalty the ICO had issued at that time. Marriott International received £18.4 million in the same period for a breach affecting 339 million guest records. TikTok was fined £12.7 million in 2023 for using children's data without proper consent.

These are the headline cases. The more relevant question for most UK businesses is what the fine landscape looks like below that tier and what actually triggers an ICO investigation in the first place.

For a technical check of your website's data protection posture, run a free scan at /uk/en/scan, it takes under two minutes and covers the issues the ICO checks most often.

Who enforces UK GDPR

The Information Commissioner's Office (ICO) is the sole data protection regulator in the UK. Based in Wilmslow, Cheshire, it enforces UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). There is no per-jurisdiction split as there is in the EU, where each member state has its own supervisory authority and cross-border cases can involve multiple authorities under the one-stop-shop mechanism.

In the EU, a business with its main EU establishment in Ireland answers to the Irish DPC as lead authority. In the UK, every business with UK customers, UK operations or UK-targeted digital services falls under the ICO regardless of where the business is based. Non-UK companies that target UK individuals need a UK representative under Article 27 UK GDPR and that representative's role includes being the ICO's point of contact.

The current Information Commissioner is John Edwards, who took up the role in January 2022. His public positioning has been more pragmatic than adversarial, the ICO has been explicit that it prefers to resolve issues through engagement and undertakings rather than fines wherever possible for SMBs.

Fine bands under UK GDPR

UK GDPR carries two penalty tiers, set by Section 157 and Schedule 17 of the Data Protection Act 2018.

Higher tier: Up to £17.5 million or 4% of total annual worldwide turnover in the preceding financial year, whichever is higher. This applies to breaches of the core data protection principles (Article 5), the lawful basis requirements (Article 6), data subject rights (Articles 15 to 22), the conditions for consent (Article 7) and the rules on transfers to third countries (Articles 44 to 49).

Standard tier: Up to £8.75 million or 2% of total annual worldwide turnover, whichever is higher. This applies to more procedural requirements: privacy-by-design obligations, record-keeping, data breach notification and the rules around data processors and processing agreements.

PECR has a separate fine ceiling of £500,000 for the most serious violations. Cookie breaches typically fall under PECR Regulation 6, not UK GDPR directly, though where a cookie is processing personal data (which analytics cookies always are), UK GDPR powers can also apply.

The ICO publishes every monetary penalty notice on its enforcement action page. The notices include the full reasoning, the mitigating and aggravating factors the ICO considered and the final amount.

How the ICO calculates a fine

The ICO published a detailed penalty methodology document in 2021, updated periodically. The key factors it weighs when setting an amount within a band are:

The nature of the infringement: was it negligent, reckless or intentional? Intentional violations receive significantly higher starting points.

The scale and duration: how many people were affected, how long did the breach persist and how sensitive were the data categories involved (health records, financial data and children's data all attract higher concern).

Co-operation: did the organisation report the breach promptly, engage with the ICO's investigation transparently and take immediate remedial action? Both British Airways and Marriott had their proposed fines substantially reduced after demonstrating financial hardship and strong post-breach co-operation.

Prior history: a first-time technical failing is treated differently from a repeat violator. The ICO explicitly references prior reprimands or undertakings in its penalty calculations.

Financial capacity: the ICO considers whether a fine at a given level would be disproportionately severe relative to the organisation's actual financial position. It has reduced fines against organisations demonstrating financial distress.

Novel point of law: if a case involves a genuinely unclear legal question, the ICO has shown willingness to reduce amounts to reflect that uncertainty. The BA case involved novel questions about the standard of technical security required.

What triggers ICO action

ICO investigations typically start in one of three ways.

Data subject complaints filed through the ICO's online complaints form at ico.org.uk/concerns. A single complaint about a missed subject access request, an unanswered deletion request or an intrusive cookie banner can land on the ICO's desk. The ICO cannot respond to every complaint with a full investigation, but patterns of complaints from multiple individuals about the same organisation tend to raise the risk of a formal enquiry.

Mandatory breach notifications under Article 33 UK GDPR. Any breach that risks harm to individuals must be reported to the ICO within 72 hours. The ICO reviews each notification and, where the circumstances suggest systemic failure, opens a further investigation. The BA and Marriott cases both started with breach notifications.

ICO-initiated sweeps and surveys. The ICO conducts thematic investigations, cookie banner compliance sweeps, direct marketing audits, children's data reviews. The November 2023 cookie-banner campaign, in which the ICO wrote to 53 of the UK's top 100 websites, is a recent example. The ICO doesn't need a complaint to initiate a review.

Realistic financial exposure for UK businesses

The big fines attract headlines, but they're not representative of SMB exposure.

Most small-business ICO enforcement takes one of three forms: a formal reprimand (public, reputationally damaging but no fine), an undertaking (a legally binding commitment to fix specific issues by a deadline) or a warning in correspondence. These are far more common than monetary penalties for businesses without large-scale data operations.

Where fines do affect SMBs, the mechanism is usually PECR rather than UK GDPR. Unsolicited email marketing to B2C consumers is the most common trigger. The ICO's enforcement record shows many PECR fines in the £10,000 to £200,000 range for companies that bought or scraped consumer email lists and ran cold-outreach campaigns.

For a typical small business website, a local retailer, a professional services firm, a restaurant with an online booking form, the realistic risk profile is: one data subject complaint triggers an ICO letter, the ICO sends an information notice, the business responds promptly and demonstrates it has a working privacy notice and cookie banner and the matter closes with a reprimand or informal resolution. No fine.

The ICO's published enforcement action page lists every monetary penalty notice issued, with the full reasoning and the mitigating factors accepted. Reading half a dozen notices from the same year gives a reliable picture of how the ICO weighs competing factors and how organisations in similar situations were treated.

That risk profile shifts materially if the business ignores the ICO letter, disputes that UK GDPR applies without any legal basis for doing so, or has demonstrably done nothing to address known compliance gaps.

What to do if you receive an ICO notice

The ICO typically contacts organisations via a formal information notice under Article 58(1)(a) UK GDPR, which requests specific information within a stated deadline, usually 30 calendar days, sometimes 14 days for breach-notification contexts.

Five steps when the letter arrives. Following them in order matters because the ICO explicitly references whether the organisation co-operated and took remedial action at each stage when it calculates any final penalty:

First, read it carefully and identify what the ICO is actually asking. It may be a routine information request following a data subject complaint, or it may signal the start of a formal investigation. The tone of the initial letter usually distinguishes these.

Second, seek legal advice before responding if the matter is anything other than a simple SAR complaint. Responses to the ICO are on the record and can be referred to in any subsequent penalty notice.

Third, gather the relevant documentation: privacy notices, data processing records, consent logs, breach-notification records, cookie audit evidence. A structured, evidenced response carries far more weight than a narrative one.

Fourth, respond within the deadline. Missing an ICO deadline is treated as non-co-operation and can be a standalone aggravating factor in any subsequent proceedings.

Fifth, address the underlying issue. If the ICO has flagged a specific gap, missing cookie consent, an unanswered SAR, fix it before or during the response process and document that you've done so. Early remediation is the most reliable mitigant.

For EU comparison, the ICO process is broadly similar to GDPR enforcement in France or the Netherlands, but the ICO's preference for reprimands over fines for first-time SMB failings makes the UK's track record somewhat more proportionate. See how the Dutch AP handles website enforcement for contrast.

---

This is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.