UK GDPR fine and enforcement statistics — how many fines the ICO has issued, the biggest UK GDPR fines to date, the UK GDPR vs PECR split, the new DUAA maximums and how the UK compares with Europe, fully sourced from official data.

Since the GDPR took effect in May 2018, the Information Commissioner's Office (ICO) has fined organisations ranging from British Airways to a small Scottish adoption charity. Oddly, the regulator publishes a continuously updated list of every enforcement action — but no statistics page summarising them. This page fills that gap, drawing together the numbers from the ICO's enforcement database, its Annual Report 2024/25 and its quarterly data security incident statistics, alongside DLA Piper's annual survey of GDPR enforcement across Europe.

Key facts and figures

  • £20 million — the largest UK GDPR fine ever issued, against British Airways in October 2020.
  • Six UK GDPR fines totalling more than £20 million were issued in calendar 2025 — the ICO's biggest fining year since 2020.
  • £14 million — the Capita fine in 2025, the largest UK GDPR penalty since British Airways and Marriott.
  • £4.426 million — total fines imposed by the ICO in the 2024/25 financial year, down from around £16 million in 2023/24.
  • 1 in 6 ICO fines in 2024 related to UK GDPR — the majority are issued under PECR for nuisance marketing (up from 1 in 17 in 2023).
  • £17.5 million or 4% of global turnover — the new maximum PECR fine from 5 February 2026, up from £500,000.
  • €1.2 billion in GDPR fines were issued across Europe in 2025, taking the cumulative total since 2018 to €7.1 billion.
  • 3,600 personal data breach incidents were reported to the ICO in Q4 2025 alone, up 16% year on year.

Figures are the latest available as of July 2026, and this page is updated as the ICO adds actions to its enforcement database, publishes its quarterly incident data, and releases its annual report each summer.

What are the biggest GDPR fines in the UK?

£20 million — the penalty issued to British Airways in October 2020 — remains the largest UK GDPR fine ever, nearly six years on. Marriott International's £18.4 million fine, issued the same month, holds second place. Both stemmed from large-scale cyber attacks, and both were substantially reduced from the ICO's original proposals: £183 million in BA's case and £99 million in Marriott's, cut after representations and the pandemic's impact on the aviation and hospitality sectors.

FineOrganisationYearWhat happened
£20 millionBritish Airways2020Cyber attack affecting 400,000+ customers; inadequate security controls. Reduced from a proposed £183 million.
£18.4 millionMarriott International2020Guest-reservation database breach affecting c.339 million records worldwide. Reduced from a proposed £99 million.
£14 millionCapita (two entities)2025March 2023 ransomware attack affecting 6.6 million people; failure to secure systems and respond promptly.
£12.7 millionTikTok2023Processing the data of up to 1.4 million UK children under 13 without parental consent (2018–2020).
£7.5 millionClearview AI2022Scraping facial images without a lawful basis. Later set aside by the First-tier Tribunal on jurisdictional grounds.
£3.07 millionAdvanced Computer Software2025Ransomware attack that disrupted NHS 111; incomplete multi-factor authentication coverage.
£2.31 million23andMe2025Credential-stuffing attack affecting around 155,000 UK users; no mandatory multi-factor authentication.
£1.23 millionLastPass UK20252022 breach exposing data of up to 1.6 million UK users; fined 20 November 2025.

The composition of the table tells its own story. Four of the eight largest UK GDPR fines were issued in 2025, and every one of them followed a cyber attack. The ICO's consistent position is that organisations remain responsible where their own controls fell short, however sophisticated the attacker. One accuracy note: the 2022 Clearview AI penalty was set aside on appeal, on the question of the UK GDPR's territorial reach rather than the substance of the processing, so it is best treated as an asterisked entry.

How many GDPR fines did the ICO issue in 2025?

Six UK GDPR monetary penalty notices, totalling more than £20 million, were issued by the ICO in calendar year 2025 — by value, the regulator's biggest year since the BA and Marriott fines of 2020. The six, in size order:

  • Capita — £14 million (two group entities combined), for security failings exposed by the March 2023 ransomware attack.
  • Advanced Computer Software — £3.07 million, after a ransomware attack disrupted NHS 111 services.
  • 23andMe — £2.31 million, for security failures behind a credential-stuffing attack on UK users' genetic data.
  • LastPass UK — £1.23 million, issued 20 November 2025 over the 2022 breach affecting up to 1.6 million UK users.
  • DPP Law — £60,000, issued in April 2025 after attackers entered the law firm's network through an admin account without multi-factor authentication.
  • Birthlink — £18,000, after the Scottish post-adoption charity destroyed around 4,800 personal records, many of them irreplaceable.

The pattern is deliberate: fewer, larger fines aimed at systemic security failures, with special category and children's data attracting the toughest treatment. The two smaller penalties show the other end of the scale — no organisation is too small, and the Birthlink fine demonstrates that destroying records can be punished as readily as leaking them.

How has ICO fining activity changed year by year?

£4.426 million in fines were imposed by the ICO in the 2024/25 financial year, down sharply from around £16 million in 2023/24 — yet calendar 2025 then produced over £20 million in UK GDPR fines alone. The apparent contradiction is a timing artefact: the ICO's financial year runs to 31 March, so the big penalties of late 2025 fall into the 2025/26 accounts. Both measures are worth tracking.

Underneath the fines, the wider workload keeps growing. The ICO received 42,315 data protection complaints in 2024/25, up from 39,721 the year before. And in calendar 2024 the regulator took 62 enforcement actions against 47 organisations, of which 32 related to UK GDPR breaches — a mix of fines, enforcement notices and reprimands.

MeasureFigurePeriod
UK GDPR monetary penalties issued6, totalling £20m+Calendar 2025
Total fines imposed (all regimes)£4.426m — down from c.£16m the year beforeFY 2024/25
Enforcement actions (all types)62, against 47 organisationsCalendar 2024
Actions relating to UK GDPR32 of the 62Calendar 2024
Data protection complaints received42,315 — up from 39,721FY 2024/25
Personal data breach reports3,600 — up 16% year on yearQ4 2025

Reading the series together, the trend since 2023 is unmistakable: total enforcement actions are falling, but the fines that are issued have grown much larger and are increasingly concentrated on security failures under the UK GDPR.

Are most ICO fines under UK GDPR or PECR?

One in six ICO fines related to UK GDPR in 2024, up from just one in 17 in 2023 — meaning the substantial majority of the regulator's fines are still issued under PECR, the Privacy and Electronic Communications Regulations, rather than under the UK GDPR itself. PECR covers nuisance calls, spam texts and emails, and cookie rules, and PECR penalties against rogue marketing firms have long been the ICO's bread-and-butter enforcement.

That split is likely to look very different from 2026 onwards. Until this year, PECR fines were capped at £500,000 — trivial next to the UK GDPR maximums. When the relevant provisions of the Data (Use and Access) Act 2025 commenced on 5 February 2026, the maximum PECR fine rose to £17.5 million or 4% of global annual turnover, a 35-fold increase that puts marketing and cookie breaches on the same footing as data protection breaches. For what that means in practice for consent banners and tracking, see our cookie consent guide.

What is the maximum GDPR fine in the UK?

£17.5 million or 4% of total worldwide annual turnover, whichever is higher, is the maximum UK GDPR fine — the "higher tier", covering breaches of the processing principles, consent, individuals' rights and international transfer rules. The "standard tier", for more procedural failures such as records, breach notification and security obligations, is capped at £8.7 million or 2% of turnover.

In practice, fines land well below the caps. The ICO's Data Protection Fining Guidance, published in March 2024, sets out a five-step methodology working from the seriousness of the infringement and the organisation's turnover through aggravating and mitigating factors to a final proportionality check. Even the largest UK fine to date — £20 million against British Airways in October 2020 — was a fraction of the £183 million originally proposed. For a full walkthrough of the two tiers and how the ICO calculates a penalty, see our guide to GDPR fines and penalties in the UK.

How do UK fines compare with the rest of Europe?

€1.2 billion (around £1.06 billion) in GDPR fines were issued across Europe in 2025, according to DLA Piper's January 2026 survey — and the cumulative European total since 25 May 2018 now stands at €7.1 billion. Against that backdrop, the UK's totals are strikingly modest: just over £20 million in UK GDPR fines in 2025, its biggest year in half a decade, and £4.426 million across the whole 2024/25 financial year.

Several factors explain the gap. The largest European penalties have targeted the big US technology platforms, most of which have their European headquarters in Ireland or Luxembourg rather than the UK. The ICO has also followed a deliberate reprimand-first approach for public-sector bodies since 2022, and several of its headline fines have been reduced or set aside on appeal. Whether the post-Brexit UK regime stays comparatively light-touch — or whether the 2025 fining surge and the new PECR maximums mark a turning point — is one of the questions this page will track.

How many data breaches are reported to the ICO?

3,600 personal data breach incidents were reported to the ICO in Q4 2025, up 16% year on year. Of those, 77% were non-cyber incidents — misdirected emails, lost paperwork, failures to redact — and only 23% were cyber attacks, in the same quarter's data.

Crucially, a breach report very rarely leads to a fine: roughly 70% of reported incidents in Q4 2025 resulted in no further action from the regulator. The handful of monetary penalties each year sit on top of tens of thousands of complaints and thousands of quarterly breach reports, which is why the enforcement statistics on this page look so different from the incident statistics. For the full quarterly breakdown by sector and incident type, see our data breach statistics page.

Frequently asked questions

What is the biggest GDPR fine in the UK?

£20 million, issued to British Airways in October 2020 following a cyber attack affecting more than 400,000 customers. It was reduced from an original proposal of £183 million. Marriott International's £18.4 million fine, also from October 2020, is the second largest.

How many GDPR fines has the ICO issued?

There is no single official running total — the ICO publishes a continuously updated enforcement database rather than a statistics page. In calendar 2025 it issued six UK GDPR fines totalling over £20 million; in calendar 2024 it took 62 enforcement actions of all types against 47 organisations, of which 32 related to UK GDPR.

What is the maximum GDPR fine in the UK?

£17.5 million or 4% of worldwide annual turnover, whichever is higher, for higher-tier infringements. The standard tier is capped at £8.7 million or 2% of turnover.

What are PECR fines and how big can they be?

PECR fines punish breaches of the Privacy and Electronic Communications Regulations — nuisance calls, spam texts and emails, and cookie misuse. They historically made up the majority of ICO fines but were capped at £500,000. From 5 February 2026, under the Data (Use and Access) Act 2025, the maximum rose to £17.5 million or 4% of global turnover.

Where does the money from ICO fines go?

Fine income is paid into the government's Consolidated Fund via the Treasury — the ICO does not keep it. Since April 2022 the ICO has been permitted to retain a capped portion (up to £7.5 million a year) to cover agreed litigation and enforcement costs.

Do small organisations and charities get GDPR fines?

Yes. There is no size-based exemption: in 2025 the ICO fined DPP Law, a Merseyside law firm, £60,000 and Birthlink, a small Scottish adoption charity, £18,000. The ICO's proportionality checks mean smaller organisations receive smaller fines, not immunity.

Sources & references

The surest way to stay off the ICO's enforcement list — train your team in UK GDPR and safe data handling.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, workplace compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.