The analysis of all monetary penalties issued by the ICO since 2023 shows that the average monetary penalty has risen from just over £675,000 in 2023 to almost £3.2 million so far in 2026 – an almost five-fold increase in four years.
The Information Commissioner’s Office, the UK regulator for upholding data privacy, has enforcement powers ranging from monetary penalties, enforcement notices, reprimands and even prosecuting individuals and organisations for serious data protection breaches.
What the Data Shows
Figure 1: Average ICO-issued fine value per year
Since 2023, the ICO has issued 58 monetary penalties totalling over £55 million, alongside 49 enforcement notices and 65 reprimands. Just three cases have resulted in prosecution.
Since 2023, 58 monetary penalties have been issued, totalling over £55 million. The data reveals that while the number of monetary penalties issued between 2023 and 2025 has declined (36 percent). However, the average value of these fines (including those issued in 2026) has increased significantly (370 percent).
In 2023, 22 penalties were issued, totalling nearly £15 million. On average, each fine was valued at over £675,000. Most of these fines were valued at under £250,000 but a £12.7 million fine issued to TikTok in 2023 was the outlier. The ICO found TikTok responsible for several breaches of data protection law, including failing to use the personal data of children lawfully.
In the following year, the value of monetary penalties dropped sharply, with the ICO handing out 17 penalties totalling just £2.5 million. The Police Service of Northern Ireland (PSNI) received the highest monetary penalty (£750,000) for an unauthorised disclosure of PSNI officer and staff details in an FOI request.
However, in 2025, there was a sharp increase in the value of monetary penalties issued. While the number of penalties declined slightly (14), the value of these fines was much higher, totalling £21.7 million, the highest of all years analysed.
On average, the value of each penalty was £1.6 million. Several high-value fines were issued this year, the highest of which was £14 million. The ICO found that Capita had failed to respond in a timely manner to a cyberattack that compromised the data of over six million individuals and did not adequately prevent attackers from moving freely across its internal network or gaining unauthorised access to more sensitive systems and data once inside.
Penalty trends in 2026 highlight that the ICO is issuing increasingly serious monetary penalties. While only five monetary penalties have been issued in 2026 so far, their total value exceeds £15 million already.
A penalty issued to Reddit for £14.4 million is the biggest culprit. The social media platform was fined for failing to properly verify users' ages, resulting in the unlawful processing of children’s data.
Which Sectors Face the Biggest Penalties?
The data shows that some industries have faced much higher penalties.
Figure 2: Average ICO-issued monetary penalities by industry
The online technology and telecoms industry has received over £28 million in penalties since 2023. However, it has received among the fewest fines. Five monetary penalties have been issued, averaging £5.7 million per fine. The severity of these fines is linked to the number of individuals impacted. Particularly large fines have also been issued in instances where children are impacted. In practice, the sector's £28 million total is heavily concentrated: the TikTok (£12.7 million) and Reddit (£14.4 million) fines together account for the vast majority, both linked to the unlawful processing of children's data.
The marketing sector has been on the receiving end of more ICO penalties than any other since 2023, accumulating 17 penalties overall. However, the total value of these penalties is just £1.8 million, an average penalty of £106,765.
Many of these penalties relate to unsolicited marketing calls and texts in breach of Privacy and Electronic Communications Regulations (PECR), offences the ICO penalises consistently but not severely.
Our Expert Says…
Chris Linnell, Associate Director of Data Privacy said
“Although the rise in average fines is significant, it reflects a more targeted approach from the ICO rather than just an increase in enforcement activity. There’s a strong emphasis emerging around areas like children’s privacy, the safe use of AI, and nuisance communications, and with expanded powers now available, organisations need to be prepared for a more proactive regulator.
"The key point many organisations overlook is that the size of a fine isn’t driven by the incident alone. The ICO places a significant amount of weight on how well accountability is demonstrated. That means having controls that are genuinely embedded across people, processes and technology - and being able to evidence that they are working effectively in practice.
"It also highlights the importance of organisations really understanding the context of their data processing. Knowing what data you hold, why you hold it, and the potential risks involved is essential - not just for compliance, but for managing the impact on individuals if something does happen.
"At the same time, public awareness is increasing. High-profile fines are now part of the mainstream conversation, and privacy is becoming a more visible differentiator in the market. That’s raising expectations across the board, meaning good data protection is no longer optional - it’s a fundamental requirement.”
What Triggers ICO Action?
Data privacy complaints can prove costly for businesses, in both the fines associated with non-compliance and the potential disruption to daily operations.
The ICO has the authority to impose a maximum penalty of £17.5 million or four percent of the organisation’s total annual worldwide turnover in the preceding financial year, whichever is higher.
Failings that could trigger ICO action include:
- Data breaches caused by poor security: This could include failing to properly implement technical and organisational measures to protect user data, particularly in industries where businesses have access to large volumes of sensitive data such as medical or financial records.
- Failure to adequately respond to incidents: Not every data breach needs to be reported to the ICO. The ICO provides a self-assessment for data breaches to determine whether it needs to be reported to the ICO. However, in instances where a reportable data breach takes place, all organisations are required to report the incident within 72 hours.
- Unlawful direct marketing: The Privacy and Electronic Communications Regulations give people privacy rights with regard to electronic communication. Sending unsolicited calls, texts or emails without valid consent violates these protections.
Explore our Data Privacy Services
Methodology
Data was extracted from the ICO Enforcement Register on 11 May 2026. All published records between 2023 and 2026 have been analysed, including 58 monetary penalties, 49 enforcement notices, 65 reprimands, and 3 prosecutions. In some instances, the Information Commissioner's Office will reduce the penalty amount if it is paid before a certain date. For this research, we have recorded the initial value of the penalty.
Bridewell
Insights by Bridewell
