The ICO (Information Commissioner's Office) has the power to issue fines of up to £17.5 million or 4% of global annual turnover for serious data protection failures. But the maximum is rarely applied — the actual fine in any given case is determined by a detailed set of factors that the ICO weighs up during its investigation. Understanding how those factors work gives organisations a clearer picture of their real exposure and what steps genuinely reduce risk.
The two enforcement tiers under UK GDPR
UK GDPR (and the Data Protection Act 2018) creates two categories of infringement, each with different maximum fines:
| Tier | Examples of violations | Maximum fine |
|---|---|---|
| Lower tier | Failure to notify the ICO of a breach, inadequate records of processing, minor consent failures | £8.7M or 2% of global turnover (whichever is higher) |
| Upper tier | Breach of core principles (lawfulness, fairness), data subject rights violations, unlawful international transfers, special category data failures | £17.5M or 4% of global turnover (whichever is higher) |
The "whichever is higher" element means the percentage-based cap is most relevant for large multinationals. For a company with £500M global turnover, 4% is £20M — exceeding the fixed maximum. For an SME, the fixed maximum will almost always be the higher figure.
Notable ICO enforcement cases
Looking at actual ICO decisions provides the most accurate picture of how fines are set in practice.
British Airways — £20 million (2020)
British Airways was fined £20 million — reduced from an initial notice of £183 million — following a 2018 cyberattack that exposed the personal and payment card data of approximately 400,000 customers. The ICO found that BA had failed to implement appropriate technical and organisational security measures. The reduction from the initial notice reflected the economic impact of COVID-19 on the airline, BA's cooperation with the investigation, and steps taken to improve security.
Marriott International — £18.4 million (2020)
Marriott was fined £18.4 million after a breach originating in the Starwood reservation system exposed up to 339 million guest records globally. The ICO found that Marriott had failed to carry out adequate due diligence when it acquired Starwood in 2016 and had not taken sufficient steps to secure the systems it inherited.
TikTok — £12.7 million (2023)
TikTok was fined £12.7 million for unlawfully processing the personal data of children under 13 without their parents' consent. The ICO estimated that approximately 1.4 million UK children under 13 used the platform in 2020, contrary to TikTok's own terms of service.
Interserve Group — £4.4 million (2022)
Interserve was fined £4.4 million after a phishing attack resulted in the personal and financial data of up to 113,000 employees being compromised. The ICO found that Interserve had failed to keep software up to date, used unsupported operating systems, lacked appropriate staff training, and had inadequate risk assessment processes.
The eight factors the ICO weighs
The ICO's approach to calculating fines is set out in its published enforcement guidance. The key factors are:
1. Nature, gravity, and duration
How serious was the breach? How many people were affected? How long did it go undetected? A one-off incident affecting 100 customers is treated very differently from a systemic failure affecting millions over several years.
2. Intentional or negligent
Deliberate violations attract significantly higher fines than negligent ones. A company that knowingly processed data without a legal basis faces much greater exposure than one that made a genuine procedural error.
3. Categories of personal data involved
Special category data — health information, biometric data, criminal records, racial or ethnic origin — attracts higher fines because of the greater potential harm to data subjects.
4. Steps taken to mitigate harm
Did the organisation act quickly to contain the breach, notify affected individuals, and offer remediation? Proactive steps to limit harm are a significant mitigating factor.
5. Degree of responsibility
Was the organisation solely responsible, or was a third-party processor also involved? What security measures were in place? Prior audits or assessments that flagged the same vulnerability are aggravating.
6. Cooperation with the ICO
Organisations that engage constructively with the investigation, provide documents promptly, and communicate openly receive more favourable treatment. Obstruction or delayed responses increase the final fine.
7. How the ICO became aware
If the organisation self-reported the breach promptly and accurately, that is treated more favourably than if the ICO discovered the incident through a third party or the media.
8. Previous infringements
A prior ICO enforcement action or formal warning is a significant aggravating factor. Repeat infringers can expect materially higher fines.
What actually reduces your fine exposure
Based on ICO enforcement patterns, the most effective steps to reduce fine exposure are:
- Implement ISO 27001 or Cyber Essentials — formal certification demonstrates that you have taken a structured approach to information security. The ICO references this positively in its assessments.
- Maintain a Data Protection Impact Assessment (DPIA) process — for high-risk processing activities, a documented DPIA shows the ICO that you identified and addressed risks proactively.
- Have and test an incident response plan — breaches that are contained and reported within 72 hours (as required by UK GDPR) consistently result in lower fines than those where the organisation was slow to respond.
- Train staff regularly — the Interserve case shows that inadequate staff training is treated as an aggravating factor. Documented, regular data protection training matters.
- Cooperate fully with the ICO — this is one of the most consistently cited mitigating factors across every major UK enforcement case.