Research · ICO enforcement

ICO fines and enforcement — what the record shows

Updated April 2026 UK GDPR Articles 83 & 84 DPA 2018 Part 6

The Information Commissioner's Office has broad enforcement powers under UK GDPR and the Data Protection Act 2018. Understanding how fines are calculated, what triggers an investigation, and what the enforcement record reveals about ICO priorities is directly relevant to building a compliant programme — because the ICO's enforcement pattern shows what it treats as serious and what evidence it expects organisations to produce.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

ℹ Research note

This page is derived from publicly available ICO enforcement notices, penalty notices, and published guidance. ICO enforcement decisions are publicly available on the ICO website. Figures cited are from published penalty notices and ICO annual reports as at April 2026. The ICO enforcement database is updated continuously — verify current figures at ico.org.uk.

The two penalty tiers

UK GDPR Article 83 establishes two tiers of administrative fine. The higher tier — for the most serious breaches of core data protection obligations — allows fines of up to £17.5 million or 4% of the undertaking's total annual worldwide turnover in the preceding financial year, whichever is higher. The lower tier — for less severe infringements, including failure to implement appropriate technical and organisational measures — allows fines of up to £8.7 million or 2% of annual worldwide turnover, whichever is higher.

These are maximum figures. The ICO has discretion on the amount of any penalty and must take into account a range of factors in determining what is proportionate. In practice, fines significantly below the statutory maximum are more common, particularly for smaller organisations, first-time breaches, or where the organisation cooperated with the investigation and took prompt remedial action.

Source: UK GDPR Articles 83(4) and 83(5); DPA 2018 Section 157

Higher-tier violations (Article 83(5))

The higher maximum applies to infringements of the basic principles for processing (Article 5), conditions for consent (Article 7), data subject rights (Articles 12–22), transfers to third countries (Articles 44–49), and obligations under national law adopted pursuant to Articles 85–91. In practice, the most commonly enforced higher-tier violations involve unlawful processing, inadequate data security leading to a significant breach, and failure to respect data subject rights.

Lower-tier violations (Article 83(4))

The lower maximum applies to infringements of obligations relating to data protection by design and by default (Article 25), processor obligations (Articles 26–29), records of processing activities (Article 30), security measures (Article 32), breach notification (Articles 33–34), and DPO obligations (Articles 37–39). Failure to maintain an Article 30 ROPA, failure to notify a breach within 72 hours, and failure to have appropriate processor contracts are all lower-tier violations — but they remain violations that can attract substantial penalties.

What triggers an investigation

The ICO's enforcement activity is driven by several sources. Data breach notifications under Article 33 are the single largest trigger — the ICO receives thousands of breach reports each year and investigates those that suggest significant risk or systemic failures. Subject complaints — typically about failure to respond to a SAR, unlawful processing, or data breach — are the second major source. The ICO also conducts proactive audits, particularly of sectors it has identified as higher risk, and investigates organisations following media coverage of significant incidents.

In any investigation, the ICO's first requests are typically for: the Article 30 ROPA; the privacy notice in force at the time of the breach or complaint; evidence of how data subject rights requests were handled; the breach log; and documentation of the technical and organisational security measures in place. An organisation that cannot produce these documents promptly — or that produces documents that are clearly inadequate — faces a significantly more adverse investigation than one with a complete, dated evidence record.

Factors affecting the penalty

Article 83(2) requires the ICO to take into account a range of factors when determining whether to impose a fine and its amount. The most significant mitigating factors in practice are:

Self-reporting — organisations that proactively report breaches to the ICO typically receive more favourable treatment than those whose breaches are discovered through complaints or third-party reports
Cooperation — prompt, full cooperation with the ICO investigation, including timely provision of requested documents
Remedial action — demonstrable steps taken to address the breach and prevent recurrence, implemented before the investigation concludes
Existing compliance programme — evidence of a genuine, documented compliance programme in place before the breach occurred demonstrates that the failure was isolated rather than systemic
Size and resources — the ICO takes into account the size and financial resources of the organisation, recognising that a fine proportionate for a large corporation may be disproportionate for an SME

The most significant aggravating factors are: failure to cooperate with the investigation; evidence of deliberate or negligent infringement; previous enforcement action for similar breaches; and financial gain from the infringement.

Source: UK GDPR Article 83(2); ICO regulatory action policy

Beyond fines — the full enforcement toolkit

Financial penalties are one element of the ICO's enforcement toolkit. The ICO also has power to issue:

Reprimands — formal expressions of criticism, published on the ICO website, which can cause reputational damage disproportionate to any financial penalty
Enforcement notices — requiring the organisation to take specific steps within a specified period. Failure to comply with an enforcement notice is a criminal offence
Information notices — requiring the organisation to provide information to the ICO. Failure to comply is a criminal offence
Assessment notices — requiring the organisation to allow the ICO to carry out an audit of its data processing
Third-party undertakings — published commitments by the organisation to take specific remedial action

Reprimands have become more common since the ICO adopted a more graduated approach to enforcement. For SMEs, a reprimand with published findings can be more damaging commercially than a modest fine — clients, particularly in professional services, will search the ICO register before instructing a firm.

These are the documents an ICO investigator will request first. Without them, an organisation has no means to demonstrate what it did or when.

SME enforcement risk

The ICO has been explicit that UK GDPR applies to all organisations regardless of size, and that being small does not provide an exemption from enforcement. However, the ICO's approach to SMEs reflects proportionality — fines are calibrated to the organisation's financial position, and the ICO typically engages in a resolution process before taking formal action against organisations that cooperate and take prompt remedial steps.

The highest risk areas for SMEs from an ICO enforcement perspective are: failure to respond to subject access requests on time (the most complained-about issue); inadequate security measures leading to a breach (particularly email-based breaches, which are frequently reported and investigated); sending personal data to the wrong recipient; and failure to have appropriate processor contracts in place. All of these are addressed in a structured UK GDPR compliance programme.

ICO registration fees

Separate from enforcement action for substantive breaches, most data controllers are required to pay an annual data protection fee to the ICO. The current fee schedule (from February 2025) is: £52 for small organisations (turnover under £632,000 or fewer than 10 staff); £78 for medium organisations; and £3,763 for large organisations. Charities and small occupational pension schemes may qualify for reduced or zero fees.

Failure to register and pay the required fee is a civil monetary penalty offence, enforced separately from substantive data protection breaches. The ICO conducts proactive checks against Companies House and other registers to identify unregistered controllers. The penalty for non-payment is up to £4,000.

Source: ICO fee schedule, current from February 2025; Data Protection (Charges and Information) Regulations 2018

Record this. The ICO's enforcement pattern consistently shows that organisations with a documented compliance programme, an evidence record, and a history of self-reporting and cooperation receive materially better outcomes than those that cannot produce records. Compliance is not just a legal obligation — it is an enforcement defence.

Not legal advice. This page is derived from ICO published enforcement decisions, penalty notices, and guidance as at April 2026. ICO enforcement decisions and penalty amounts are subject to appeal and may change. Consult a qualified solicitor or data protection practitioner for advice on specific enforcement situations or regulatory investigations.