The Cost of Non-Compliance: Real UK GDPR Fines and Lessons Learned
UK GDPR fines rarely happen because of one isolated mistake. They usually follow a chain of preventable failures — weak security, poor response planning, missed processor checks, or gaps in staff awareness. This blog looks at real UK GDPR enforcement cases, what they cost, and the practical lessons businesses can apply before a breach becomes a headline.
E
Eleanor Whitcombe
Jul 07, 2026
9 min read
UK business team reviewing GDPR non-compliance risks and data protection fines on a compliance dashboard

"It won't happen to us" is the most expensive assumption in data protection. Every business fined under UK GDPR believed exactly that, right up until the ICO's investigation started. Looking at what actually triggered real enforcement action — and what it cost beyond the headline figure — is a far more useful exercise than reading the regulation itself.

This isn't a scare story. It's a look at recent ICO enforcement action, the patterns behind it, and what your business can realistically do differently.

If you're still getting to grips with the basics of UK GDPR before diving into enforcement cases, our overview guide is a good place to start.

How ICO Fines are Calculated

UK GDPR fines aren't picked arbitrarily. The Information Commissioner's Office works through a structured process that considers the nature, gravity, and duration of the breach, whether it was intentional or negligent, what mitigating action the organisation took, and how many people were affected.

A few things consistently influence the final number:

  • Group turnover. Where an organisation is owned by a larger holding company, the ICO has based fine calculations on the group's global turnover rather than just the subsidiary's, significantly increasing the potential exposure for organisations with complex corporate structures.
  • Post-breach conduct. Cooperating with an investigation is expected, not exceptional — the ICO has explicitly stated that "good" cooperation alone isn't automatically treated as a mitigating factor unless it goes beyond what's reasonably expected.
  • Speed of notification isn't a free pass. Even notifying well within the 72-hour breach reporting deadline hasn't been treated as a mitigating factor on its own; the ICO expects a continued, engaged response throughout the investigation, not just a fast initial report.
  • Settlement discounts. The ICO has been consulting on a structured settlement procedure offering reduced fines for early resolution — reportedly up to 40% off for settling before a formal notice of intent, tapering to smaller discounts the later an organisation engages. 

The maximum fine under UK GDPR remains £17.5 million or 4% of global annual turnover, whichever is higher — and since February 2026, that same ceiling now applies to PECR breaches (cookies and email marketing) too, following reforms under the Data (Use and Access) Act 2025.

The maximum fine figure and how it's calculated is only half the picture — the Data Protection Act 2018 is what actually gives the ICO these enforcement powers in the first place.

Notable UK GDPR Fines and What Triggered Them

Recent ICO enforcement action tells a fairly consistent story: it's rarely a single catastrophic mistake, but a chain of preventable failures.

  • Capita — £14 million
    Following a 2023 ransomware attack in which hackers stole millions of personal data records, including financial and special category data, the ICO's investigation found a series of security failings, including a failure to prevent unauthorised movement across the network and delays in responding to security alerts. The ICO's initial calculation was substantially higher before mitigating factors and settlement reduced it. 
  • Advanced Computer Software — £3.07 million
    A ransomware attack disrupted numerous NHS-linked organisations after the company failed to consistently deploy multi-factor authentication and had gaps in vulnerability scanning and patch management. The fine was reduced from a higher initial figure following proactive remediation steps taken by the company.
  • 23andMe — £2.31 million
    A credential stuffing attack compromised a significant number of UK user accounts. The fine was reduced from a higher proposed figure after the company made representations to the ICO.
  • LastPass — £1.23 million
    Fined in relation to security failings connected to a data breach; the ICO noted that cooperation alone wasn't sufficient to count as a mitigating factor.
  • DPP Law — £60,000
    A smaller law firm fined following data loss resulting from a cyber attack, showing that enforcement isn't limited to large organisations.
  • Birthlink — £18,000
    A charity fined over the deletion of irreplaceable personal records relating to birth parents and family history — a reminder that fines aren't limited to cybersecurity incidents; poor data handling processes can trigger enforcement too.

Older, well-established cases are also worth knowing, since they still shape how the ICO approaches larger organisations: British Airways was fined £20 million in 2020 after a breach exposed customer data, Marriott was fined £18.4 million the same year following a breach in a hotel reservation database it had acquired, and TikTok was fined £12.7 million in 2023 for failures relating to children's data and consent.

NOTE: All figures, dates, and case names above are subject to change, as ICO's current enforcement actions may be updated and settlement figures are sometimes adjusted after initial announcements.

The common thread across nearly every case above isn't sophisticated hacking — it's basic security and governance gaps, which is exactly what the next sections dig into.

The Hidden Costs Beyond the Fine Itself

The fine is often the smallest number in the final bill.

Reputational damage and customer trust

A publicised ICO fine invites press coverage, customer questions, and scrutiny from existing and prospective clients — particularly in B2B relationships where procurement teams increasingly ask about a supplier's data protection record before signing contracts. Rebuilding trust after a breach, especially one involving sensitive personal data, typically takes far longer than resolving the regulatory action itself.

Several fined organisations have had to stand up dedicated customer support functions or offer free credit monitoring to affected individuals — a direct, ongoing cost that doesn't appear in the fine total but is very real to the business.

Legal and remediation costs

The ICO fine is rarely the end of the financial exposure. Data breach cost UK businesses face typically includes:

  • Legal fees for responding to the ICO investigation itself
  • The cost of external forensic and cybersecurity specialists to investigate and remediate the breach
  • Potential follow-on civil claims from affected individuals, which can run alongside or after regulatory action
  • The internal cost of staff time diverted to incident response, investigation support, and remediation, often for months
  • Investment in the security or process improvements the ICO expects to see implemented

For smaller organisations without in-house legal or security teams, these costs can be proportionally more damaging than they are for a large enterprise, even where the headline fine is smaller.

The Most Common Root Causes behind These Fines

Looking across recent enforcement action, a handful of root causes come up repeatedly:

  • Inadequate technical security measures — particularly the absence of multi-factor authentication on administrative access, which has featured in multiple major 2025 fines.
    To help staff recognise phishing, weak access habits and everyday security risks, you can also explore our Cybersecurity Awareness Training course.
  • Poor patch management and vulnerability scanning — known weaknesses left unaddressed, sometimes for extended periods.
    If your team needs a practical understanding of cybersecurity essentials, our Cybersecurity Essentials for UK Organisations course can help prepare staff for safer day-to-day practice.
  • Weak processor oversight — organisations facing consequences for failures at a third party handling data on their behalf, or processors themselves now facing direct ICO action rather than only the controllers who hired them.
  • Slow or inadequate incident response  even where initial breach notification was timely.
  • Poor data retention and deletion practices — as seen in cases unrelated to cyberattacks entirely, where the failure was simply not managing data lifecycle properly.
  • Underestimating group-wide exposure — corporate structures where a parent company's oversight (or lack of it) becomes central to the ICO's findings.

Notice that almost none of these are exotic or unusual failures. They're basic security and governance practices that many organisations assume are already in place, without actually verifying it.

Lessons your business can apply today

You don't need a seven-figure security budget to apply the lessons from these cases. A few practical takeaways:

  • Multi-factor authentication isn't optional anywhere with access to personal data — not just customer-facing systems, but internal administrative access too.
  • "We take security seriously" isn't evidence. The ICO expects documented processes, testing records, and evidence of continuous improvement, not just a general assurance.
  • Check your processors, not just yourself. If a supplier handling your data has weak security, that risk sits with you too. Data processing agreements and periodic checks matter.
    For technical teams managing systems, suppliers and compliance controls, our IT Compliance & GDPR for Tech Teams course provides role-specific guidance.
  • Cooperation during an investigation should go beyond the minimum expected. Simply responding to requests isn't treated as going above and beyond.
  • Retention and deletion policies matter even without a cyberattack. Poor data lifecycle management alone has triggered enforcement.
  • Know your group structure's exposure. If your business sits within a larger corporate group, understand how that could affect any future fine calculation.

How to Reduce Your Organisation's Risk Exposure

Reducing risk isn't about eliminating every possible vulnerability — it's about closing the specific gaps that keep showing up in real enforcement action:

  1. Audit MFA coverage across all systems handling personal data, including admin and back-office access, not just customer logins.
  2. Establish a documented patch management process, with regular vulnerability scanning rather than ad hoc checks.
  3. Review processor contracts and security standards, particularly for any third party with significant access to your data.
  4. Test and document your incident response plan before you need it, including who's responsible for ICO notification and ongoing engagement.
  5. Build a genuine retention schedule and actually follow it — this addresses one of the less obvious causes of enforcement.
  6. Train staff on security basics. Human error and preventable technical gaps, not sophisticated attacks alone, sit behind most of these cases.
  7. Understand where your organisation sits in any wider group structure, and factor that into your risk assessment.

None of this guarantees you'll never face a breach. It substantially reduces the chance that, if you do, the ICO's investigation finds the kind of systemic, preventable failures that turn an incident into a multi-million-pound penalty.

FAQs

What is the maximum fine under UK GDPR? The maximum fine is £17.5 million or 4% of an organisation's global annual turnover, whichever figure is higher. Since February 2026, this same maximum has also applied to breaches of the Privacy and Electronic Communications Regulations (PECR), which previously carried a much lower cap.

Can individuals sue a company on top of an ICO fine? 
es. An ICO fine is separate from any civil claim individuals may bring for damage or distress caused by a data breach. Organisations can face both regulatory penalties and follow-on litigation from affected individuals arising from the same incident.

Do small businesses actually get fined, or just large corporations?
Small businesses can and do get fined — enforcement isn't limited to major corporations. Smaller fines, such as those issued to a small law firm or a charity in recent enforcement action, tend to attract less press attention but confirm that organisation size doesn't provide protection from regulatory action.

How does the ICO decide the size of a fine?
The ICO considers factors including the severity and duration of the breach, the number of people affected, whether the failure was negligent or deliberate, the organisation's cooperation and remediation efforts, and (where relevant) the wider group's global turnover. A structured settlement procedure can also reduce the final figure depending on how early an organisation engages.

What's the single biggest cause of GDPR fines in the UK?
Recent enforcement activity points strongly to inadequate technical and organisational security measures — particularly gaps like missing multi-factor authentication, unpatched vulnerabilities, and weak incident response — as the most common thread behind the largest fines, though poor data governance and retention practices have also triggered enforcement independently of any cyberattack.

Most fines trace back to gaps in staff awareness, not bad intentions — our Data Protection Essentials for All Employees closes that gap before it becomes a headline.

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.