Understanding ICO Fines: What Gets UK Businesses Fined?

The Information Commissioner's Office has fined organisations hundreds of millions of pounds since UK GDPR took effect. While headlines focus on household names, the ICO regularly investigates and fines small and medium businesses. Understanding what triggers an investigation — and how fines are calculated — is essential for any UK business handling personal data.

The Two Tiers of ICO Fines

UK GDPR establishes two tiers of financial penalties, mirroring the EU GDPR structure:

Tier 1 — Up to £8.7 million (or 2% of global turnover)

• →Failure to implement appropriate technical and organisational security measures
• →Not having a Data Processing Agreement with subprocessors
• →Failing to notify the ICO of a data breach within 72 hours
• →Not maintaining required records of processing activities
• →Processing children's data without age-appropriate safeguards

Tier 2 — Up to £17.5 million (or 4% of global turnover)

• →Processing data without a lawful basis
• →Violating the fundamental principles of GDPR (lawfulness, fairness, transparency)
• →Failing to respect data subject rights (ignoring access requests, refusing erasure)
• →Transferring data to a third country without adequate safeguards
• →Processing special category data without meeting the additional conditions

Real ICO Enforcement Cases: What Actually Gets Fined

What the ICO Investigates Most Often

The ICO publishes its enforcement priorities and case outcomes. The most common triggers for investigation include:

1. Data Breaches — the 72-Hour Rule

Any personal data breach that is likely to result in a risk to individuals must be reported to the ICO within 72 hours of you becoming aware of it (Article 33). Breaches that pose a high risk to individuals must also be communicated directly to those affected (Article 34). Late reporting significantly increases the severity of any sanction.

2. Marketing Violations

Sending unsolicited marketing emails or texts is one of the most common complaints the ICO receives. Under PECR, you must have specific prior consent for electronic marketing. The ICO regularly fines companies for buying email lists, continuing to market to people who have unsubscribed, and sending marketing without a lawful basis.

3. Cookie Consent Failures

The ICO's ongoing cookie sweep programme actively checks UK websites. Setting analytics or advertising cookies before obtaining consent is a routine enforcement action. Unlike major breaches, cookie violations are often resolved through formal notices and fines without requiring a data breach.

4. Ignoring Data Subject Requests

Failing to respond to a Subject Access Request within one month, refusing a legitimate erasure request, or failing to provide data in a portable format are all enforceable violations. Many ICO complaints come directly from individuals whose requests were ignored.

How the ICO Decides the Fine Amount

The ICO considers multiple factors when setting a fine. These include:

• →The nature, gravity, and duration of the infringement
• →Whether the breach was intentional or negligent
• →Actions taken to mitigate the damage
• →The degree of responsibility — were reasonable measures in place?
• →How cooperative the organisation was during the investigation
• →The categories of personal data affected (health, financial, children's data = higher)
• →The number of people affected
• →Whether the organisation had previous violations
• →The financial position of the organisation — ability to pay

How to Reduce Your Risk of ICO Enforcement

• →Conduct a data audit — know exactly what personal data you hold, why, and for how long
• →Have a lawful basis for every processing activity — document it in writing
• →Implement appropriate security: encryption, access controls, MFA, regular backups
• →Have a documented breach response plan — know your 72-hour duty before a breach happens
• →Respond to data subject requests within one month — have a process in place
• →Only send marketing to people who have clearly opted in
• →Have Data Processing Agreements with every third-party processor
• →Train staff who handle personal data
• →Register with the ICO — most organisations must pay the data protection fee (£40-£2,900/year)

Must You Register with the ICO?

Most organisations that process personal data must pay a data protection fee to the ICO annually. Failure to do so is itself an offence. The fee ranges from £40 (micro-organisations) to £2,900 (large organisations). Check ico.org.uk/registration to see if your organisation is exempt.