New data analysis from our cyber security experts has revealed that the Information Commissioner's Office is issuing fewer but far larger fines, with the average monetary penalty quadrupling from just over £675,000 in 2023 to almost £3.2 million so far in 2026.
The Information Commissioner’s Office, the UK regulator for upholding data privacy, has enforcement powers ranging from monetary penalties, enforcement notices, reprimands and even prosecuting individuals and organisations for serious data protection breaches.
Since 2023, 58 monetary penalties have been issued, totalling over £55 million. The data reveals that while the number of monetary penalties issued between 2023 and 2025 has declined (36 percent), the average value of these fines (including those issued in 2026) has increased significantly (370 percent).
In 2023, 22 penalties were issued, totalling nearly £15 million. On average, each fine was valued at over £675,000. Most of these fines were valued at under £250,000 but a £12.7 million fine issued to TikTok in 2023 was the outlier. The ICO found TikTok responsible for several breaches of data protection law, including failing to use the personal data of children lawfully.
In 2024, the value of monetary penalties dropped sharply, with the ICO handing out 17 penalties totalling just £2.5 million. The Police Service of Northern Ireland (PSNI) received the highest monetary penalty (£750,000) for an unauthorised disclosure of PSNI officer and staff details in an FOI request.
However, in 2025, there was a sizeable increase in the value of monetary penalties issued. While the number of penalties declined slightly (14), the value of these fines was much higher, totalling £21.7 million - the highest of all years analysed - with an average fine of £1.6 million.
Several high-value fines were issued in 2025, the highest of which was £14 million. The ICO found that Capita had failed to respond in a timely manner to a cyberattack that compromised the data of over six million individuals and did not adequately prevent attackers from moving freely across its internal network or gaining unauthorised access to more sensitive systems and data once inside.
The data for 2026 (correct as of May) highlights the ICO is issuing increasingly serious monetary penalties. While only five monetary penalties have been issued, their total value exceeds £15 million already.
A penalty issued to Reddit for £14.4 million is the biggest culprit. The social media platform was fined for failing to properly verify users' ages, resulting in the unlawful processing of children’s data.
The marketing sector has been hardest hit by monetary penalties, with 17 penalties issued since 2023; however, the average penalty (£106,765) is among the lowest. The online technology and telecoms industry has received just five monetary penalties since 2023, but the average penalty is over £5.7 million.
The ICO’s enforcement extends beyond monetary penalties. Since 2023, there have been 49 enforcement notices and 65 reprimands alongside the 58 monetary penalties. These may be increasingly preferred for less serious or first-time breaches. Just three cases have resulted in prosecution.
Chris Linnell, Associate Director of Data Privacy said:
“Although the rise in average fines is significant, it reflects a more targeted approach from the ICO rather than just an increase in enforcement activity. There’s a strong emphasis emerging around areas like children’s privacy, the safe use of AI, and nuisance communications, and with expanded powers now available, organisations need to be prepared for a more proactive regulator.
"The key point many organisations overlook is that the size of a fine isn’t driven by the incident alone. The ICO places a significant amount of weight on how well accountability is demonstrated. That means having controls that are genuinely embedded across people, processes and technology - and being able to evidence that they are working effectively in practice.
"It also highlights the importance of organisations really understanding the context of their data processing. Knowing what data you hold, why you hold it, and the potential risks involved is essential - not just for compliance, but for managing the impact on individuals if something does happen.
"At the same time, public awareness is increasing. High-profile fines are now part of the mainstream conversation, and privacy is becoming a more visible differentiator in the market. That’s raising expectations across the board, meaning good data protection is no longer optional - it’s a fundamental requirement.”
Data was extracted from the ICO Enforcement Register on 11 May 2026. All published records between 2023 and 2026 have been analysed, including 58 monetary penalties, 49 enforcement notices, 65 reprimands, and 3 prosecutions. In some instances, the Information Commissioner's Office will reduce the penalty amount if it is paid before a certain date. For this research, we have recorded the initial value of the penalty.
