ICO Maximum Fine In The UK: Limits And How To Avoid Them

byAlex Solo26 November 20259 min read

Business Set Up Regulatory Compliance Data & Privacy

Data protection can feel like a maze, but there’s one headline that cuts through the noise: the Information Commissioner’s Office (ICO) can issue eye‑watering fines for serious breaches of UK data protection law.

If you’re running a small business, don’t panic - the ICO’s “maximum fine” is reserved for the most serious cases. With the right systems and documents in place, you can stay compliant and protect your business from day one.

In this guide, we’ll explain what the ICO maximum fine actually is, when it applies, how fines are calculated, and the practical steps you can take to keep your risk low.

What Is The ICO Maximum Fine?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), the ICO can issue administrative fines at two tiers:

Higher tier: up to £17.5 million or 4% of your annual worldwide turnover (whichever is higher) - for the most serious infringements.
Standard tier: up to £8.7 million or 2% of your annual worldwide turnover (whichever is higher) - for other infringements (often around governance and accountability).

These are legal maximums, not automatic penalties. The ICO assesses each case individually and considers a range of factors before setting any fine.

On top of UK GDPR/DPA 2018, the ICO also enforces the Privacy and Electronic Communications Regulations (PECR) - covering marketing calls, texts, emails and cookies. Breaches of PECR can attract fines too. Historically, PECR fines have been capped at £500,000, but in practice, the biggest risk for many small businesses is repeated or reckless non‑compliance that shows a disregard for people’s privacy.

When Do The Maximums Apply?

The “maximum fine” thresholds are reserved for the most serious cases - think deliberate or systemic misuse of personal data, large‑scale impacts, or ignoring the ICO’s directions. In the real world, fines are scaled to the seriousness of what went wrong and your business’ size and circumstances.

Broadly, higher‑tier infringements (up to £17.5m/4%) include breaches of core data protection principles, such as:

Processing personal data without a lawful basis
Processing beyond what’s necessary or fair (e.g., excessive data collection)
Failing to respect data subject rights (like access, deletion, objection) in a serious or systemic way
Unlawful international data transfers

Standard‑tier infringements (up to £8.7m/2%) tend to relate to governance and accountability duties, like:

Not implementing appropriate technical and organisational measures
Poor record‑keeping or failure to demonstrate compliance
Inadequate processor oversight or contracts

PECR fines typically arise from unlawful direct marketing (e.g. sending unsolicited emails or texts without consent or applicable soft opt‑in) or non‑compliant cookies. If you’re running email campaigns, ensure you’re using the soft opt‑in correctly and have a clear Cookie Policy - both are simple steps that reduce risk quickly.

How Does The ICO Decide The Amount?

The ICO follows a structured assessment when deciding whether to fine, and at what level. Key factors include:

Nature, gravity and duration - how serious the breach was, how many people were affected, and for how long.
Intentional or negligent - whether the breach was a mistake or a deliberate choice (or reckless disregard).
Types of data - special category data (e.g., health) and children’s data attract higher scrutiny.
Mitigation - how quickly you acted to reduce harm and whether you notified affected individuals where required.
Cooperation - whether you cooperated with the ICO during the investigation.
History - any previous infringements or warnings.
Accountability - whether you had appropriate policies, training, contracts and security in place.
Turnover - the fine must be effective, proportionate and dissuasive, with your size and ability to pay considered.

The ICO’s aim isn’t to punish honest small businesses that make a one‑off mistake and fix it fast - it’s to change behaviour, protect people, and encourage strong privacy practices. That’s good news for SMEs who put sensible safeguards in place and act quickly if something goes wrong.

For many small businesses, the most likely risk area isn’t a headline‑grabbing cyber incident - it’s everyday marketing and website compliance under PECR.

Common problem areas include:

Sending marketing emails or texts without valid consent or soft opt‑in
Using non‑essential cookies (e.g., analytics, advertising) without consent
Hiding tracking behind vague banners or pre‑ticked boxes

To reduce this risk quickly:

Use a consent‑based cookie banner that actually blocks non‑essential cookies until accepted. Our practical guide to cookie banners that comply explains what “reject all” needs to look like under UK rules.
Publish a clear, accurate Cookie Policy that lists cookies, purposes, and retention.
If you rely on the soft opt‑in for existing customers, ensure each marketing message offers a simple opt‑out and that you’ve captured the original sale context properly (see soft opt‑in).

These are quick wins - and they help you avoid PECR enforcement, which is separate from, and in addition to, UK GDPR.

Practical Steps To Avoid ICO Fines

Good privacy hygiene dramatically reduces the chance of an investigation or penalty. Here’s a practical, SME‑friendly roadmap.

1) Map Your Data And Pick A Lawful Basis

Start by mapping what personal data you collect, why, where it’s stored, who accesses it, and how long you keep it. For each processing activity, choose a lawful basis (e.g., consent, contract, legal obligation, legitimate interests) and document your reasoning.

Make this visible to customers in a clear, tailored Privacy Policy - avoid generic templates that don’t match your actual data flows.

2) Put The Right Contracts In Place

If you use third‑party providers that process personal data for you (like email marketing platforms or cloud storage), UK GDPR requires written terms with specific clauses. A compliant Data Processing Agreement sets out security standards, audit rights, sub‑processor controls, and breach notification obligations. If you share personal data with another controller for separate purposes, a Data Sharing Agreement can record roles and safeguards.

3) Strengthen Security And Train Your Team

Technical measures (MFA, encryption, access controls) and organisational measures (policies, training, joiners/leavers processes) both matter. If you use cloud collaboration tools, sense‑check your setup against privacy expectations - our overview of whether Google Drive is GDPR compliant highlights typical pitfalls and practical controls.

4) Prepare For Incidents

Not every security incident is a breach, and not every breach must be reported - but you must assess incidents quickly and decide whether to notify the ICO within 72 hours where required. A tested Data Breach Response Plan helps you triage, reduce harm, and meet deadlines calmly.

5) Get Cookies And Marketing Right

Bring your website and email practices in line with PECR by using a compliant banner, a transparent Cookie Policy, and lawful marketing settings. This is one of the fastest ways to reduce enforcement risk day‑to‑day.

6) Handle Requests On Time

People can ask to access, delete or correct their data. Build a simple playbook so your team can recognise a Subject Access Request, verify identity, and respond within the deadlines. Also decide when you can lawfully refuse - our overview of SAR exemptions and SAR deadlines explains the boundaries clearly.

7) Be Smart About Retention

Don’t keep personal data longer than necessary. Set sensible retention periods that reflect your legal and operational needs, then delete or anonymise on schedule. If you’re unsure how long to keep different records, our guide to data retention periods is a useful starting point.

What Documents Should A Small Business Have In Place?

A few tailored documents go a long way towards proving accountability (a core UK GDPR principle) and avoiding penalties.

Privacy Policy - a clear, plain‑English notice describing what you collect, why, legal bases, retention, and rights; host it on your website and keep it aligned with reality. Consider a professionally drafted Privacy Policy if you process multiple data types or use international vendors.
Data Processing Agreement - required for each processor you use (e.g., email marketing, CRM, payroll), ideally your version to keep terms consistent. See Data Processing Agreement.
Data Sharing Agreement - if you exchange personal data with other organisations as separate controllers, use a Data Sharing Agreement to record roles, security and retention.
Data Breach Response Plan - a practical, step‑by‑step playbook so you can investigate and notify within 72 hours where needed. See Data Breach Response Plan.
Cookie Tools And Notices - a compliant consent banner and a transparent Cookie Policy, ideally with a mechanism to record consents.
Internal Policies And Training - simple rules for staff (access control, device use, data handling), and refreshers for anyone who touches personal data.

If you want a one‑stop approach, our GDPR package and data protection consultation are designed to get small businesses compliant quickly and practically.

What Happens If You Get It Wrong?

Fines are only one part of the picture. The ICO has a range of tools it can use before leaping to monetary penalties, including:

Advice, warnings and reprimands
Enforcement notices requiring you to change or stop certain processing
Assessment notices (allowing audits)
Orders to notify affected individuals, or to rectify or erase data

Realistically, the bigger hit for many SMEs is reputational. A public reprimand (or media coverage around a breach) can undermine customer trust overnight. That’s why your best defence is a mix of prevention (good policies and contracts), detection (training, access logs, incident triage) and response (a tested plan and swift communications).

One more quick win: make sure you’re appropriately registered with the ICO and paying the correct fee if required. Some businesses don’t need to pay, so check whether you fall within an ICO fee exemption - it’s a simple compliance check that keeps you off the ICO’s naughty list.

Frequently Asked Questions About The ICO Maximum Fine

Is The ICO Maximum Fine Likely For A Small Business?

No - maximums are for the most serious cases. The ICO looks at proportionality and will often start with guidance, a reprimand or an enforcement notice if issues can be fixed quickly.

Can We Be Fined For A Single Marketing Email?

A one‑off mistake is unlikely to trigger a large penalty, but repeated unlawful messages or ignoring opt‑outs can lead to PECR enforcement. Put a process in place so marketing only targets people with consent or a valid soft opt‑in, and make opting out easy in every message.

Do We Always Have To Report A Breach?

No. You must assess each incident and notify the ICO within 72 hours only if it’s likely to result in a risk to people’s rights and freedoms. Your Data Breach Response Plan should help you make that call and document your reasoning either way.

What If A Customer Demands We Delete Everything Immediately?

People can ask you to erase their data, but erasure isn’t absolute - there are legal grounds to refuse (for example, if you must retain records for legal obligations). Knowing the relevant exemptions and setting realistic retention rules will help you respond lawfully and consistently.

Key Takeaways

The ICO maximum fine under UK GDPR/DPA 2018 is up to £17.5m or 4% of global annual turnover for the most serious infringements, and up to £8.7m or 2% for others. PECR breaches can also lead to separate fines.
Maximums are rarely used - the ICO assesses seriousness, intent, mitigation, cooperation, history and your turnover to set a proportionate outcome.
Your biggest day‑to‑day risks often sit in marketing and cookies: use a compliant banner, a clear Cookie Policy, and only send marketing where consent or soft opt‑in applies.
Core protections include a tailored Privacy Policy, a Data Processing Agreement with every processor, and a tested Data Breach Response Plan.
Train staff to spot and handle a Subject Access Request, set sensible retention periods, and document your lawful bases and risk decisions.
Check whether you need to pay the ICO data protection fee - some businesses fall within an exemption, but you should confirm this rather than assume.

If you’d like help reducing your risk of an ICO fine - from drafting a Privacy Policy and Data Processing Agreements to setting up cookie compliance and breach response - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call