What is the maximum fine under UK GDPR?

The highest tier under UK GDPR is £17.5 million or 4% of annual global turnover, whichever is greater. This applies to the most serious breaches, those involving Articles 83(5) violations such as failures around lawful basis, data subject rights, and international transfers. A lower tier of £8.75 million or 2% of turnover applies to more procedural failings.

Has the ICO actually fined small businesses under UK GDPR?

Yes, though large-scale fines are rare for small businesses. Most SME enforcement takes the form of reprimands and undertakings. Where fines do land on SMBs, they typically arise from unsolicited marketing campaigns under PECR (up to £500,000) rather than UK GDPR directly. The ICO publishes all monetary penalty notices on its enforcement page at ico.org.uk.

How does the ICO decide fine amounts?

The ICO uses a published penalty methodology that considers the nature and duration of the breach, the number of people affected, the categories of data involved, whether the breach was negligent or intentional, any mitigation steps taken, and the organisation's financial position. Co-operation with the ICO during investigation and early remediation are recognised mitigating factors.

How does a UK GDPR fine compare to an EU GDPR fine?

The headline bands are close: UK GDPR allows up to £17.5M / 4% turnover versus EU GDPR's €20M / 4%. In practice the ICO has issued fewer large fines than France's CNIL or Ireland's DPC. The ICO uses reprimands and undertakings more heavily for SMBs than most EU DPAs, though this approach has gradually tightened since 2022.

GDPR & Privacy

UK GDPR fines under the ICO: what penalties look like

Steven | TrustYourWebsite · 4 May 2026 · Last updated: May 2026

Under UK GDPR, the ICO can fine organisations up to £17.5 million or 4% of global annual turnover, whichever is higher. The real picture, from the cases that have actually been decided, is more nuanced.

When British Airways received a proposed fine of £183 million from the ICO in 2019, it felt like a turning point. The final amount, reduced to £20 million in 2020 after representations about the impact of Covid-19, was still the largest penalty the ICO had issued at that time. Marriott International received £18.4 million in the same period for a breach affecting 339 million guest records. TikTok was fined £12.7 million in 2023 for using children's data without proper consent.

These are the headline cases. The more relevant question for most UK businesses is what the fine landscape looks like below that tier and what actually triggers an ICO investigation in the first place.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Case</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Year</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Proposed</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Final</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Trigger</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">British Airways</td> <td className="border border-slate-300 px-3 py-2">2019-2020</td> <td className="border border-slate-300 px-3 py-2">£183M</td> <td className="border border-slate-300 px-3 py-2">£20M</td> <td className="border border-slate-300 px-3 py-2">Payment-card skim affecting 400k customers</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Marriott International</td> <td className="border border-slate-300 px-3 py-2">2019-2020</td> <td className="border border-slate-300 px-3 py-2">£99M</td> <td className="border border-slate-300 px-3 py-2">£18.4M</td> <td className="border border-slate-300 px-3 py-2">Starwood-reservations breach, 339M records</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">TikTok</td> <td className="border border-slate-300 px-3 py-2">2023</td> <td className="border border-slate-300 px-3 py-2">£27M</td> <td className="border border-slate-300 px-3 py-2">£12.7M</td> <td className="border border-slate-300 px-3 py-2">Use of children's data without proper consent</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Clearview AI</td> <td className="border border-slate-300 px-3 py-2">2022</td> <td className="border border-slate-300 px-3 py-2">£7.5M</td> <td className="border border-slate-300 px-3 py-2">Initially overturned, partly restored on appeal (2024)</td> <td className="border border-slate-300 px-3 py-2">Mass facial-image scraping without lawful basis</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">DSG Retail (Currys/PC World)</td> <td className="border border-slate-300 px-3 py-2">2020</td> <td className="border border-slate-300 px-3 py-2">£500k (PECR cap)</td> <td className="border border-slate-300 px-3 py-2">£500k</td> <td className="border border-slate-300 px-3 py-2">Point-of-sale malware, 14M customers</td> </tr> </tbody> </table> </div>

For a technical check of your website's data protection posture, run a free scan at /uk/en/scan, it takes under two minutes and covers the issues the ICO checks most often.

The Information Commissioner's Office (ICO) is the sole data protection regulator in the UK. Based in Wilmslow, Cheshire, it enforces UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). There is no per-jurisdiction split as there is in the EU, where each member state has its own supervisory authority and cross-border cases can involve multiple authorities under the one-stop-shop mechanism.

In the EU, a business with its main EU establishment in Ireland answers to the Irish DPC as lead authority. In the UK, every business with UK customers, UK operations or UK-targeted digital services falls under the ICO regardless of where the business is based. Non-UK companies that target UK individuals need a UK representative under Article 27 UK GDPR and that representative's role includes being the ICO's point of contact.

The current Information Commissioner is John Edwards, who took up the role in January 2022. His public positioning has been more pragmatic than adversarial, the ICO has been explicit that it prefers to resolve issues through engagement and undertakings rather than fines wherever possible for SMBs.

UK GDPR carries two penalty tiers, set by Section 157 and Schedule 17 of the Data Protection Act 2018.

Tier	Maximum fine	Applies to
Higher (Art. 83(5) equivalent)	£17.5 million or 4% of global annual turnover	Core principles (Art. 5), lawful basis (Art. 6), data subject rights (Arts. 15-22), consent (Art. 7), international transfers (Arts. 44-49)
Standard (Art. 83(4) equivalent)	£8.75 million or 2% of global annual turnover	Privacy-by-design, record-keeping, breach notification, processor agreements
PECR	£500,000	Unsolicited marketing, cookie consent failures, unlawful direct marketing

In each case, the fine is whichever figure is higher. The fixed cap or the percentage of turnover. For most UK SMBs the fixed cap is the binding constraint. Cookie breaches typically fall under PECR Regulation 6, not UK GDPR directly, though where an analytics cookie processes personal data, UK GDPR enforcement powers can also apply alongside PECR.

The ICO publishes every monetary penalty notice on its enforcement action page. The notices include the full reasoning, the mitigating and aggravating factors the ICO considered and the final amount.

How the ICO calculates a fine

The ICO publishes its Regulatory Action Policy, updated periodically, which sets out how it approaches penalties. The key factors it weighs when setting an amount within a band are summarised below.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Factor</th> <th className="border border-slate-300 px-3 py-2 font-semibold">What the ICO weighs</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Direction</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Nature of the infringement</td> <td className="border border-slate-300 px-3 py-2">Negligent, reckless or intentional</td> <td className="border border-slate-300 px-3 py-2">Intentional violations get a higher starting point.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Scale and duration</td> <td className="border border-slate-300 px-3 py-2">Number of people affected, duration, sensitivity of data (health, financial, children's)</td> <td className="border border-slate-300 px-3 py-2">Larger and more sensitive breaches attract higher concern.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Co-operation</td> <td className="border border-slate-300 px-3 py-2">Prompt breach notification, transparent investigation engagement</td> <td className="border border-slate-300 px-3 py-2">Strong mitigant. BA and Marriott both saw substantial reductions.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Prior history</td> <td className="border border-slate-300 px-3 py-2">Previous reprimands or undertakings on similar issues</td> <td className="border border-slate-300 px-3 py-2">Repeat violators get materially less leniency.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Financial capacity</td> <td className="border border-slate-300 px-3 py-2">Whether the proposed fine is disproportionate to the organisation's position</td> <td className="border border-slate-300 px-3 py-2">Demonstrated distress has reduced fines in past cases.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Novel point of law</td> <td className="border border-slate-300 px-3 py-2">Genuinely unclear legal question raised by the case</td> <td className="border border-slate-300 px-3 py-2">Mitigant where the legal question is genuinely new (e.g. BA security standard).</td> </tr> </tbody> </table> </div>

What triggers ICO action

ICO investigations typically start in one of three ways.

Data subject complaints filed through the ICO's online complaints form at ico.org.uk/concerns. A single complaint about a missed subject access request, an unanswered deletion request or an intrusive cookie banner can land on the ICO's desk. The ICO cannot respond to every complaint with a full investigation, but patterns of complaints from multiple individuals about the same organisation tend to raise the risk of a formal enquiry.

Mandatory breach notifications under Article 33 UK GDPR. Any breach that risks harm to individuals must be reported to the ICO within 72 hours. The ICO reviews each notification and, where the circumstances suggest systemic failure, opens a further investigation. The BA and Marriott cases both started with breach notifications.

ICO-initiated sweeps and surveys. The ICO conducts thematic investigations, cookie banner compliance sweeps, direct marketing audits, children's data reviews. The November 2023 cookie-banner campaign, in which the ICO wrote to 53 of the UK's top 100 websites, is a recent example. The ICO doesn't need a complaint to initiate a review.

Realistic financial exposure for UK businesses

The big fines attract headlines, but they're not representative of SMB exposure.

Most small-business ICO enforcement takes one of three forms: a formal reprimand (public, reputationally damaging but no fine), an undertaking (a legally binding commitment to fix specific issues by a deadline) or a warning in correspondence. These are far more common than monetary penalties for businesses without large-scale data operations.

Where fines do affect SMBs, the mechanism is usually PECR rather than UK GDPR. Unsolicited email marketing to B2C consumers is the most common trigger. The ICO's enforcement record shows many PECR fines in the £10,000 to £200,000 range for companies that bought or scraped consumer email lists and ran cold-outreach campaigns.

For a typical small business website, a local retailer, a professional services firm, a restaurant with an online booking form, the realistic risk profile is: one data subject complaint triggers an ICO letter, the ICO sends an information notice, the business responds promptly and demonstrates it has a working privacy notice and cookie banner and the matter closes with a reprimand or informal resolution. No fine.

The ICO's published enforcement action page lists every monetary penalty notice issued, with the full reasoning and the mitigating factors accepted. Reading half a dozen notices from the same year gives a reliable picture of how the ICO weighs competing factors and how organisations in similar situations were treated.

That risk profile shifts materially if the business ignores the ICO letter, disputes that UK GDPR applies without any legal basis for doing so or has demonstrably done nothing to address known compliance gaps.

What to do if you receive an ICO notice

The ICO typically contacts organisations via a formal information notice under Article 58(1)(a) UK GDPR, which requests specific information within a stated deadline, usually 30 calendar days, sometimes 14 days for breach-notification contexts.

Five steps when the letter arrives, in order, because the ICO explicitly references co-operation and remedial action at each stage when calculating any final penalty:

Read it carefully. Identify what the ICO is actually asking. It may be a routine information request following a data subject complaint or it may signal the start of a formal investigation. The tone of the initial letter usually distinguishes these.
Seek legal advice before responding if the matter is anything other than a simple SAR complaint. Responses to the ICO are on the record and can be referred to in any subsequent penalty notice.
Gather the relevant documentation. Privacy notices, data processing records, consent logs, breach-notification records, cookie audit evidence. A structured, evidenced response carries far more weight than a narrative one.
Respond within the deadline. Missing an ICO deadline is treated as non-co-operation and can be a standalone aggravating factor in subsequent proceedings.
Address the underlying issue. If the ICO has flagged a specific gap, missing cookie consent, an unanswered SAR, fix it before or during the response process and document that you've done so. Early remediation is the most reliable mitigant.

For a detailed breakdown of how ICO investigations unfold from initial contact through to closing, see the ICO investigation process guide.

For context on how the UK regime compares to what came before, see UK GDPR vs EU GDPR: key differences after Brexit.

This is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

What the ICO Actually Checks on Your Website in 2026

Concrete list of what the ICO checks when a complaint about your UK website lands on its desk. Cookie banner, privacy notice, SAR, breach notification.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

UK GDPR vs EU GDPR after Brexit for UK businesses

UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookies, ICO enforcement and when you still need an EU representative.

Data (Use and Access) Act 2025: UK website changes

Data (Use and Access) Act 2025 reforms UK GDPR and the DPA 2018 from Royal Assent on 19 June 2025. What changes for UK websites and what stays the same.