ICO Powers Explained: Investigations, Enforcement And GDPR Fines In The UK

If you run a small business in the UK, you’ll probably deal with personal data at some point - customer emails, staff records, supplier contacts, mailing lists, CCTV footage, website enquiries, and more.

That’s where the Information Commissioner’s Office (ICO) comes in. The ICO is the UK’s regulator for data protection and ePrivacy rules, and it has a wide toolkit to investigate complaints and enforce the law.

The tricky part is that the ICO’s powers can sound vague and a bit intimidating. What can the ICO actually do? When do they investigate? Can they show up unannounced? How do GDPR fines work in practice? And what should you have in place so you’re protected from day one?

This guide breaks it all down in plain English, from a small business perspective, so you can focus on running your business with confidence.

What Are The ICO’s Powers (And When Do They Apply)?

The ICO’s powers mainly come from:

• UK GDPR (the UK’s version of the General Data Protection Regulation, retained post-Brexit)
• Data Protection Act 2018 (which supplements UK GDPR and gives extra detail and powers)
• Privacy and Electronic Communications Regulations (PECR) (covering things like marketing emails/SMS, cookies, and some telecoms rules)

In simple terms, the ICO’s job is to make sure organisations handle personal data lawfully, fairly and securely - and to take action where they don’t.

So, What Counts As “Personal Data” For A Business?

Personal data is any information relating to an identifiable individual. For small businesses, common examples include:

• Customer names, phone numbers, and email addresses
• Online order histories linked to a person
• Employee HR records (including sickness notes and performance records)
• CCTV footage where people can be identified
• IP addresses and device identifiers (often relevant for cookies and analytics)

Even if data protection isn’t your “core business”, if you use it to sell, hire, deliver services, or market, it matters.

High-Level Summary Of ICO Powers

When people talk about ICO powers, they’re usually referring to the ICO’s ability to:

• Investigate suspected non-compliance (often triggered by complaints or breach reports)
• Request information and evidence from you
• Conduct audits (in some cases)
• Order you to do (or stop doing) certain things with personal data
• Issue formal regulatory outcomes such as reprimands or enforcement notices
• Issue monetary penalties (fines), particularly for serious or repeated non-compliance

Just as importantly, the ICO can also publish enforcement outcomes, which can create reputational and commercial risks even where fines are not issued.

How Do ICO Investigations Start For Small Businesses?

Most small businesses don’t get investigated out of the blue. Typically, ICO involvement starts because something has gone wrong (or is alleged to have gone wrong), and the ICO has received information that makes it worth looking into.

Common Triggers For ICO Attention

• A complaint from a customer (for example: “they won’t delete my data” or “they keep emailing me after I unsubscribed”)
• A complaint from an employee or ex-employee (often around workplace monitoring, HR records, or sharing information)
• A personal data breach report submitted by your business (or reported by a third party)
• Marketing non-compliance under PECR (for example, unsolicited marketing texts/emails)
• Press coverage or public reports of a cyber incident
• A sector-wide focus where the ICO is paying attention to particular practices

In many cases, the ICO will start by writing to you and asking questions, rather than immediately taking enforcement action.

Can The ICO Investigate Even If You’re A Tiny Business?

Yes. UK GDPR applies to organisations of all sizes.

That said, proportionality matters in practice. The ICO often considers the nature of your business, the sensitivity of the data involved, and the level of harm or risk to individuals when deciding what action (if any) is appropriate.

But “we’re small” isn’t a defence. If you’re processing personal data, you still need the right foundations in place - policies, contracts, and security measures - that match your actual risks.

What Can The ICO Ask You To Do During An Investigation?

Once an investigation is underway, the ICO can require information and expects your cooperation. This is where many businesses feel pressure - not necessarily because they’re deliberately doing the wrong thing, but because they don’t have their documentation and processes organised.

Information Requests And Evidence Gathering

The ICO can ask you for information such as:

• Your data protection policies and internal procedures
• Evidence of your lawful basis for processing (for example, consent records)
• Details of your security measures
• Data retention periods and deletion practices
• Copies of privacy notices provided to customers or staff
• Contracts with service providers who process personal data for you
• Records showing how you handled a data subject request (like a subject access request)

In many cases, the ICO will contact you with specific questions (for example, through an information request). Having a proper Privacy Policy that matches what you actually do is one of the basics the ICO may look for early.

Audits, Assessments And Inspections

Depending on the circumstances, the ICO may carry out an assessment of your compliance. For many small businesses, this will be “desk-based” (reviewing documents and answers), rather than inspectors arriving at your premises.

In more serious cases, the ICO may carry out an inspection. Where the ICO uses its formal powers of entry and inspection, there are specific legal requirements and safeguards (and in some circumstances a warrant may be involved). If you receive notice of an audit/inspection or an inspection request, it’s a good idea to get advice quickly.

If you have staff handling customer data, it also helps if you can point to clear internal rules about acceptable workplace systems use, access, and security - for example, an Acceptable Use Policy.

Data Breach Handling Questions

If the investigation relates to a security incident, the ICO will often focus on:

• How the breach happened (human error, phishing, poor access controls, etc.)
• Whether you had reasonable security in place beforehand
• How quickly you detected and contained the incident
• Whether you notified the ICO (and if so, when)
• Whether you notified affected individuals (if required)
• What steps you’ve taken to reduce the risk of recurrence

This is why it’s so useful to have a Data Breach Response Plan in place before anything happens - not after.

Enforcement Tools: Warnings, Reprimands, Notices And Other Outcomes

A lot of business owners assume the only “real” outcome is a GDPR fine. In reality, the ICO has many ways to respond, and fines are only one part of the picture.

Informal Resolution And Advice

Sometimes, the ICO will resolve matters by giving guidance, asking you to improve processes, or confirming it won’t take further action (especially where the risk to individuals is low and you’ve cooperated).

Even where the outcome feels “informal”, don’t treat it lightly. It’s still a clear sign that your current process is exposed - and it can be referenced if issues repeat.

Reprimands

A reprimand is a formal statement that the ICO considers you have infringed data protection law. It may not carry a fine, but it can still be serious because:

• It creates a regulatory track record
• It can be made public (which can affect trust)
• It often comes with expectations that you fix issues quickly

Enforcement Notices

An enforcement notice is more direct. It can require you to take (or stop) specific actions to comply.

For example, an enforcement notice could require you to:

• Stop sending marketing communications until you can prove compliance
• Fix a security vulnerability within a set time
• Comply with a data subject request properly
• Change the way you collect consent on your website

Failing to comply with an enforcement notice can lead to further regulatory action and increased risk of penalties.

Information Notices And Assessment Notices

The ICO can also issue formal notices requiring action. For example, an information notice can require you to provide specified information to the ICO by a deadline. An assessment notice can require you to allow the ICO to assess whether you’re complying with data protection law (including, in some cases, allowing access to premises and documents).

These notices are legally significant: missing deadlines, refusing to provide required information, or obstructing an assessment can escalate matters.

Temporary Or Permanent Processing Bans

In more serious cases, the ICO can restrict processing. That can be devastating to a business if your operations depend on data (for example, CRM and email marketing, or online fulfilment).

This is one reason it’s worth taking compliance seriously early - the biggest business risk is often operational disruption, not just fines.

GDPR Fines And Penalties: How They Work In Practice

Let’s talk about the question most business owners have in mind: can the ICO fine you, and how much?

Yes, the ICO can issue monetary penalties for breaches of UK GDPR, the Data Protection Act 2018, and (for certain matters) PECR.

How Big Can ICO Fines Be?

Under UK GDPR, maximum fines are set in two tiers:

• Up to £8.7 million or 2% of your total worldwide annual turnover (whichever is higher) for certain infringements (often described as the “lower tier”).
• Up to £17.5 million or 4% of your total worldwide annual turnover (whichever is higher) for more serious infringements (often described as the “higher tier”).

In practice, for small businesses the real question is what the ICO is likely to do in proportion to the seriousness of the breach (and the risks and harm to individuals).

When deciding whether to fine (and how much), the ICO generally considers factors like:

• Nature and seriousness of the infringement
• How many individuals were affected
• Harm suffered (or likely to be suffered) by individuals
• Whether the breach was negligent or intentional
• Steps you took to mitigate damage once you became aware
• Your cooperation with the ICO
• Previous compliance history
• Whether you had appropriate measures in place before the incident

If your business is growing quickly and you’re scaling systems fast, this is a common danger zone. Your compliance needs to scale too - especially where you rely on suppliers, platforms, and third-party processors.

PECR Fines (Marketing And Cookies)

Some businesses are surprised to learn that issues like unsolicited marketing emails/texts, and certain cookie compliance problems, can fall under PECR and still lead to enforcement action.

If you do direct marketing, it’s worth double-checking that your mailing lists, opt-ins, and unsubscribe processes match what the law expects - and that your records are good enough to prove it.

What About Compensation Claims?

Regulatory action isn’t the only risk. Individuals may also seek compensation if they suffer damage because of a breach of data protection law (for example, financial loss, or distress in some circumstances).

That’s why it’s best to treat ICO compliance as part of your broader risk management - like having solid customer terms, good HR practices, and sensible cybersecurity controls.

How Can You Reduce Your Risk And Show Compliance From Day One?

The best way to deal with the ICO’s powers is to reduce the chance you’ll ever be on the receiving end of them - and to be ready to respond calmly if you are.

Here are practical steps that are realistic for small businesses.

1) Get Your Core GDPR Documents In Place

At a minimum, you’ll usually need:

• A clear Privacy Policy (and privacy information at the point of collection)
• Contracts that cover how suppliers handle personal data (especially if they process data on your behalf)
• Internal policies that fit your business operations and team structure

If you use third parties for email marketing, cloud storage, analytics, CRM, payroll, or IT support, you may need a Data Processing Agreement to properly allocate responsibilities and make sure UK GDPR-required terms are included.

If you want a more comprehensive approach (especially if you’re scaling or processing more sensitive data), a structured GDPR package can help you cover the main legal and operational bases without trying to piece it together reactively.

2) Limit Access And Set Practical Rules For Staff

Many data incidents come down to simple access issues: too many people can view HR files, a shared inbox is unmanaged, or staff use personal devices without clear rules.

Clear internal rules, training, and a simple “least access necessary” approach go a long way. If you’re also monitoring staff devices or emails, tread carefully and document your approach - data protection intersects heavily with workplace monitoring, and it’s an easy area for complaints to arise.

3) Prepare For Data Breaches Before They Happen

Even with good security, no business is completely immune from human error and cyber threats.

A workable Data Breach Response Plan helps you respond quickly, preserve evidence, and make better decisions under pressure (including whether you need to notify the ICO within the UK GDPR timeframes).

4) Treat Data Protection As An Ongoing Process

Compliance isn’t a “one-and-done” task.

As your business grows, common change points include:

• Hiring your first employees (and collecting more staff data)
• Launching new marketing campaigns
• Switching software providers
• Adding CCTV, call recording, or new monitoring tools
• Expanding into new markets or offering new services

Each of these can change your risk profile and what you need to document.

5) Keep Evidence Of What You’re Doing Right

One of the most overlooked practical tips is: keep records.

If the ICO ever asks questions, it’s much easier to respond when you can show:

• when policies were implemented
• what staff training was provided
• how consent is recorded
• how breaches are logged (even minor ones)
• how you handle deletion and retention

This doesn’t need to be fancy - it just needs to be accurate, consistent, and aligned with what you actually do.

Key Takeaways

• The ICO’s powers include investigating complaints and breaches, issuing formal information and assessment notices, assessing compliance, issuing enforcement notices, and imposing monetary penalties under UK GDPR, the Data Protection Act 2018, and PECR.
• Most ICO investigations start with a trigger like a customer complaint, a marketing issue, or a reported personal data breach - so your day-to-day processes matter.
• Fines are only one tool; reprimands, enforcement notices, and processing restrictions can create serious operational and reputational impacts for small businesses.
• Having the right legal foundations - like a Privacy Policy, supplier data clauses, and internal policies - makes it easier to respond calmly and credibly if the ICO contacts you.
• A Data Breach Response Plan helps you contain incidents, meet reporting obligations, and show the ICO you took the situation seriously.
• Data protection compliance should scale with your business - review your setup when you hire, change systems, or expand your marketing and customer data activities.

This article is for general information only and does not constitute legal advice. If you need advice on your specific situation (including an ICO enquiry or investigation), get legal advice.

If you’d like help getting your data protection compliance set up properly (or responding to an ICO enquiry), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.