%201.svg)
A current guide to UK GDPR fines and penalties — the two-tier structure, how the ICO calculates fines, the biggest UK penalties to date, and the wider enforcement toolkit including reprimands, audits, and civil compensation claims.
UK GDPR fines have moved from theoretical to practical in the past two years. Where the ICO once issued mostly small penalties and reserved the larger numbers for headline cases, 2025 marked a clear shift: fewer enforcement actions, but materially bigger fines aimed at systemic failures.
The first half of 2025 alone produced six fines totalling £5.6 million — double the entire £2.7 million levied across 18 fines in 2024. Four of the largest UK GDPR penalties ever imposed all landed in 2025, every one of them against a private-sector organisation following a cyber attack. The direction of travel is unmistakable.
This guide covers the structure of UK GDPR fines, how the ICO calculates them, the most significant penalties to date, and the other enforcement tools the regulator has at its disposal.
The two-tier fine structure
Article 83 of the UK GDPR sets out a two-tier penalty regime. Which tier applies depends on the type of infringement.
The standard maximum is £8.7 million or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher. This tier covers infringements of the more administrative obligations — failures around records, breach notification timing, data protection by design, processor obligations, and similar.
The higher maximum is £17.5 million or 4% of total worldwide annual turnover, whichever is higher. This tier covers infringements of the basic processing principles, the conditions for consent, the rights of data subjects, international transfer rules, and orders from the ICO.
The "whichever is higher" rule matters most for larger organisations. For a multinational with global turnover of £10 billion, 4% is £400 million — far above the £17.5 million floor. For a UK SME with turnover of £2 million, the floor of £17.5 million is the effective cap regardless of percentage. The structure deliberately scales penalties to the size and revenue of the organisation, not just the harm caused.
These are maximums, not standard amounts. Most fines come in well below the cap. The ICO's Fining Guidance, published in March 2024, sets out how the regulator works from infringement to final figure.
Two important changes in 2026 widen the reach of these maximums. From 5 February 2026, fines under the Privacy and Electronic Communications Regulations (PECR) — which cover cookies, electronic marketing, and certain telecoms-specific obligations — were aligned with UK GDPR. Where the maximum PECR fine had previously been £500,000, it is now £17.5 million or 4% of turnover, a 35-fold increase. See our cookie consent guide for the implications.
What sits in the standard tier
The standard maximum of £8.7 million / 2% applies to a defined list of infringements set out in Article 83(4). The list includes:
- Obligations of controllers and processors under Articles 8, 11, 25–39, 42, and 43 — including data protection by design and by default, joint controller arrangements, Records of Processing Activities, security of processing, breach notification timing, Data Protection Impact Assessments, and the appointment and duties of the Data Protection Officer.
- Obligations of certification bodies and monitoring bodies under Articles 42 and 43.
In practical terms, the standard tier covers documentation, governance, and procedural failures — things that often surface during an investigation triggered by something else. A breach that crosses into the higher tier through a substantive principle failure can also pull in standard-tier infringements for missing paperwork.
What sits in the higher tier
The higher maximum of £17.5 million / 4% applies to a defined list set out in Article 83(5):
- The basic principles for processing, including the conditions for consent under Articles 5, 6, 7, and 9.
- The rights of data subjects under Articles 12 to 22.
- International data transfer rules under Articles 44 to 49.
- Specific obligations under any UK GDPR provision linked to a Member State derogation.
- Non-compliance with an ICO order or with a temporary or definitive limitation on processing.
The substantive principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability — sit in the higher tier. So do the eight individual rights and the international transfer regime. Most of the headline UK GDPR fines have been issued under the higher tier.
For more on the principles, see our seven principles guide. For the individual rights, see our individual rights guide.
How the ICO calculates a fine
The ICO's Data Protection Fining Guidance, published in March 2024, sets out a five-step approach.
Step 1: Assess the seriousness of the infringement
The ICO categorises the infringement as low, medium, or high seriousness, based on the nature, gravity, and duration of the infringement, the number of data subjects affected, the level of damage suffered, the intentional or negligent character of the conduct, and the categories of personal data affected. Special category data, criminal offence data, and vulnerable individuals push seriousness upwards.
Step 2: Identify the relevant turnover
For organisations that are part of a wider "undertaking" — a group of companies acting as a single economic unit — the ICO uses the turnover of the whole undertaking. This is the same concept the Competition and Markets Authority uses. The decision in Volkswagen Aktiengesellschaft v European Commission set the EU precedent; the UK has retained it.
Step 3: Calculate the starting point
The ICO uses a percentage of the relevant turnover (or the statutory floor if higher), with the percentage band determined by the seriousness assessment in step 1.
Step 4: Adjust for aggravating and mitigating factors
Article 83(2) lists eleven factors the ICO must consider, including remedial action taken, cooperation with the investigation, previous infringements, the manner in which the regulator became aware, and any benefits the controller obtained from the infringement.
Step 5: Apply final adjustments
The figure is checked against the statutory maximum and adjusted for proportionality if needed. The ICO also considers the financial position of the undertaking, particularly for smaller organisations, and may reduce the figure where the maximum would create disproportionate harm.
The methodology is deliberately structured so that the final figure can be defended on appeal. Several large UK GDPR fines have been reduced on appeal — notably British Airways and Marriott, where the initial proposals were significantly higher than the final penalties.
The biggest GDPR fines in the UK
A summary of the largest UK GDPR penalties to date:
| Year | Organisation | Fine | Cause |
|---|---|---|---|
| 2020 | British Airways | £20 million | Cyber attack affecting 400,000 customers; weak security controls. Original proposal £183 million, reduced after representations. |
| 2020 | Marriott International | £18.4 million | Cyber attack affecting 339 million guest records (inherited via acquisition); failure to undertake due diligence. Original proposal £99 million. |
| 2023 | TikTok Information Technologies UK | £12.7 million | Processing children's data without parental consent; failures around age verification on the platform. |
| 2025 | Capita group (two entities combined) | £14 million | Ransomware attack affecting 6.6 million people; failure to implement appropriate security and timely response. |
| 2025 | Advanced Computer Software | £3.07 million | Ransomware attack disrupting NHS 111; insufficient MFA coverage; affected ~79,000 people. |
| 2025 | 23andMe | £2.31 million | Credential stuffing attack affecting ~155,000 UK users; security failures including absence of mandatory MFA. |
| 2025 | LastPass UK | £1.23 million | Security incident exposing encrypted password vaults and customer information. |
| 2022 | Clearview AI Inc | £7.5 million | Mass scraping of online images without lawful basis; subsequently overturned on appeal on jurisdictional grounds. |
| 2024 | Ministry of Defence | £350,000 | Disclosure of Afghan interpreters' details to all recipients in an email (this was the original proposal; later reduced). |
A few observations. The 2020 BA and Marriott figures remain the largest in the regulator's history, but both were materially reduced from the initial proposals — BA from £183 million, Marriott from £99 million. The reductions reflected remedial action, the COVID-era financial impact on the aviation and hospitality sectors, and the ICO's own response to representations. Neither original figure should be cited as a UK GDPR record.
The 2025 fines cluster around security failures, every one of them connected to a cyber attack. The ICO has been consistent that organisations carry responsibility for the consequences of attacks where their own controls fell short — even where the attack was sophisticated.
A note for accuracy: the 2022 Clearview fine was set aside by the First-tier Tribunal on jurisdictional grounds. The decision turned on the territorial reach of UK GDPR rather than on the substantive issues, and Clearview's processing remains contentious internationally.
Penalties other than fines
The ICO's enforcement toolkit goes beyond fines. The other tools — used more often than the headline figures suggest — include:
Reprimands
A formal expression of disapproval published by the ICO. Reprimands carry no monetary penalty but do create a public record and can be cited in future enforcement. The ICO has shifted towards using reprimands rather than fines for public-sector breaches, in line with a 2022 policy decision.
Enforcement notices
A formal order requiring the controller to take, or stop, specified actions within a defined timescale. Failure to comply with an enforcement notice is itself a criminal offence and falls into the higher tier of fines.
Information notices
A formal request for information needed for an ICO investigation. Like enforcement notices, failure to comply is an offence.
Audits
The ICO can audit any controller or processor to assess compliance. Audits can be voluntary or compulsory.
Suspension or prohibition of processing
The ICO can require an organisation to stop processing entirely, including the cross-border transfer of personal data.
Criminal prosecution
A narrow set of offences under the Data Protection Act 2018 — including unlawful obtaining of personal data and reidentification of de-identified data — carry criminal liability separate from regulatory fines.
The pattern of recent enforcement is mixed: reprimands for many public bodies and lower-risk breaches, large fines for systemic security failures in the private sector. For the underlying breach response question, see our data breach guide.
Civil compensation claims
Article 82 of the UK GDPR gives individuals the right to claim compensation from a controller or processor for material or non-material damage suffered as a result of an infringement.
Two important features of Article 82:
- The right exists in addition to ICO fines and any criminal sanctions. An organisation can face regulatory action and individual claims for the same incident.
- Liability is joint and several where multiple controllers or processors are responsible. A claimant can pursue any of them for the full sum, with the parties sorting out the apportionment afterwards.
UK case law on Article 82 has developed slowly. The Supreme Court's decision in Lloyd v Google limited the scope of representative actions for data protection breaches, making large-scale class-style claims more difficult to bring. Individual claims remain available but require demonstrable damage — financial loss, identifiable distress, or other material harm — rather than the loss of control over data alone.
In practice, civil compensation claims following a notified breach are now common. Affected individuals typically receive between a few hundred and a few thousand pounds where damage can be shown; sums above that depend on the specific circumstances.
The 2024 to 2025 enforcement shift
The change in enforcement pattern between 2024 and 2025 is one of the most significant in the ICO's recent history.
In 2024, the ICO issued 18 monetary penalty notices totalling £2.7 million across the full year. The largest single penalty was £750,000 against the Ministry of Defence following the exposure of Afghan interpreters' contact details. Average fine size was modest, and the regulator's approach to public-sector breaches favoured reprimands.
In the first six months of 2025, the ICO issued six fines worth £5.6 million — already more than double the previous year's total. By the end of 2025, the figure had grown to several large penalties including the £14 million Capita fine. The pattern is fewer actions, but materially bigger fines targeting systemic failures.
A few drivers explain the shift. First, the regulator has explicitly targeted security failures, particularly in organisations holding significant volumes of personal data. Second, the 2024 Fining Guidance gave the ICO a clearer methodology and reduced the risk that large fines would be successfully challenged on appeal. Third, the public discussion of data protection has matured: large fines no longer cause the political backlash they sometimes attracted in earlier years.
The signal to organisations is clear. The ICO is willing to issue penalties at the higher end of the range where there is a clear security failure, and the discount that smaller organisations might have expected for limited resources or sophistication has narrowed.
For the wider context on who must comply and what they must do, see our hub guide to UK GDPR and our scope guide.
Frequently asked questions
What's the maximum GDPR fine?
£17.5 million or 4% of worldwide annual turnover, whichever is higher. This is the UK GDPR higher tier; the standard tier maximum is £8.7 million or 2%.
What was the biggest UK GDPR fine?
£20 million against British Airways in 2020, reduced from an original proposal of £183 million. £18.4 million against Marriott International (reduced from £99 million) is the second largest. The largest 2025 fine was £14 million against Capita group companies.
How does the ICO calculate fines?
Using a five-step methodology set out in its March 2024 Fining Guidance: assessing seriousness, identifying turnover, calculating a starting point as a percentage of turnover, adjusting for aggravating and mitigating factors, and applying final proportionality checks.
Are GDPR fines getting bigger?
Yes. The first half of 2025 produced six fines totalling £5.6 million, compared with 18 fines totalling £2.7 million across the whole of 2024. The pattern is fewer actions, but materially bigger fines aimed at systemic security failures.
Can individuals sue for GDPR breaches?
Yes. Article 82 gives individuals the right to claim compensation for material or non-material damage. Claims are usually pursued in the County Court for smaller sums or the High Court for larger ones. Lloyd v Google limited representative actions, but individual claims remain available where damage can be shown.
Do GDPR fines apply to small businesses?
Yes. There is no size-based exemption. The statutory floor of £8.7 million / £17.5 million applies in principle to any controller, though the ICO's proportionality test typically results in much smaller fines for smaller organisations. The "whichever is higher" rule means larger organisations face percentage-based fines that scale with turnover.
