Maximum GDPR Breach Fine In The UK

If your business handles personal data in the UK, the GDPR isn’t just “nice to have” - it’s a legal requirement with real financial consequences for getting it wrong.

Plenty of small businesses ask: what is the maximum fine the ICO can impose, and does that really apply to SMEs? The short answer is yes, the maximum penalties apply no matter your size, and fines can reach into the millions depending on the breach. The good news: with sensible steps and the right documentation, you can significantly reduce your risk.

In this guide, we’ll break down the maximum fines for a GDPR breach in the UK, how the ICO decides penalty amounts, which breaches attract the highest sanctions, and practical steps you can take now to protect your business.

What Is The Maximum Fine For A GDPR Breach In The UK?

Under the UK GDPR and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) can issue administrative fines using a two-tier system:

• Higher maximum: up to £17.5 million, or 4% of your worldwide annual turnover (whichever is higher).
• Standard maximum: up to £8.7 million, or 2% of your worldwide annual turnover (whichever is higher).

“Worldwide annual turnover” refers to the global turnover of the “undertaking” (which can include your wider group, not just a single legal entity). This is why even smaller UK subsidiaries of larger groups need to take compliance seriously - 2% or 4% of group turnover can be substantial.

Separate to GDPR, some privacy-related breaches fall under the Privacy and Electronic Communications Regulations (PECR) - for example, unlawful marketing calls or spam texts. PECR fines can be up to £500,000. While smaller than GDPR penalties, they can still be disruptive and reputationally damaging, especially for small businesses.

Which Breaches Attract The Highest GDPR Fines?

The two-tier system is not arbitrary - different types of infringements are mapped to the two levels. As a rule of thumb:

Higher Maximum (Up To £17.5m / 4%)

These are breaches of the core data protection principles and data subject rights, such as:

• Processing without a lawful basis (e.g. collecting data you don’t need or can’t justify).
• Failing to respect data subject rights (access, erasure, objection, portability, etc.).
• Unlawful international transfers (e.g. transferring data overseas without appropriate safeguards).
• Breaches of the fundamental principles (fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability).

Standard Maximum (Up To £8.7m / 2%)

These are typically administrative or procedural infringements, for example:

• Failing to implement appropriate technical and organisational measures (security controls, training, policies).
• Missing records of processing activities or impact assessments where required.
• Not notifying the ICO or affected individuals of a notifiable breach in time.
• Not having appropriate contracts in place with processors.

It’s worth noting there can be overlap. For instance, poor security (an “organisational measures” issue) that leads to a major data breach could engage the principles of integrity and confidentiality, pushing it into the higher tier depending on the circumstances.

How Does The ICO Decide The Size Of A Fine?

The ICO doesn’t jump straight to the maximum. It uses a structured approach and considers a range of factors, including:

• Nature, gravity and duration of the infringement - how many people were affected, what types of data were involved (especially “special category” data like health), and how long it lasted.
• Intentional vs negligent - were you reckless, or did a genuine error slip through despite reasonable measures?
• Damage suffered by individuals - financial loss, distress, discrimination risks or other harm.
• Mitigation - how quickly you contained the incident, notified the right people, and supported affected individuals.
• Technical and organisational measures - whether you had appropriate security, policies, training, and audits in place.
• Previous infringements or patterns of non-compliance.
• Cooperation with the ICO - being transparent and responsive typically helps.
• How the infringement came to light - did you self-report, or did it emerge through complaints or investigations?
• Adherence to codes of conduct or certifications, if relevant.
• Turnover of the undertaking - fines must be effective, proportionate and dissuasive in the context of your size.

The ICO also has other tools beyond fines, like reprimands, enforcement notices and orders to stop processing. For many SMEs, the ICO may prefer a corrective approach first - but where risks are significant or negligence is clear, enforcement can escalate quickly.

Real-World Context: Are Small Businesses Really At Risk?

Large headline fines grab attention (such as major cases in travel, tech and hospitality). However, small businesses are not exempt. SMEs can and do receive fines and enforcement notices, particularly where:

• There’s a pattern of unlawful marketing under PECR (e.g. nuisance calls or spam emails without consent or a lawful basis).
• Special category data is mishandled (for example, health details collected without appropriate safeguards).
• Breaches are not contained or reported properly within the 72-hour window.
• There’s no basic compliance framework: missing policies, training, contracts with processors, or security controls.

From a practical standpoint, the financial cost is only one part of the risk. Reputational damage, loss of customer trust, investigation time and remediation costs can outweigh the penalty itself - especially for growing businesses.

Practical Steps To Reduce Your GDPR Fine Risk

You can do a lot to minimise the chance of a breach - and to reduce potential penalties if something does go wrong. Focus on the fundamentals first.

1) Map Your Data And Clarify Lawful Bases

• Document what personal data you collect, why you collect it, where it flows, and who you share it with.
• Identify the lawful basis for each processing activity (consent, contract, legitimate interests, legal obligation, vital interests, or public task) and keep a record of that decision.
• Be transparent with an up-to-date, plain-English Privacy Policy that explains your processing activities.

Most businesses should publish a clear Privacy Policy on their website and ensure it matches what actually happens in your operations and marketing stack.

2) Tighten Security And Governance

• Implement appropriate technical measures (access controls, MFA, encryption, patching, secure configurations) and organisational measures (policies, training, audits).
• Train your team regularly on phishing, secure data handling, and incident reporting - people are your biggest risk and your strongest defence.
• Adopt data minimisation and retention hygiene - don’t keep data longer than needed, and delete or anonymise on a schedule.

If you’re setting or reviewing retention rules, align them to your legal and operational needs, and document your data retention periods so they’re applied consistently across systems.

3) Put Strong Contracts In Place With Processors

• Whenever you use a third party that processes personal data for you (cloud tools, email platforms, payment providers, CRM, HR systems), you need a compliant contract.
• The agreement should set out obligations on security, sub-processing, international transfers, audit rights, and assistance with data subject rights and breaches.

This is usually handled with a tailored Data Processing Agreement or a negotiated vendor addendum. Avoid relying on generic templates that don’t reflect your actual processing risks.

4) Manage Cookies And Marketing Permissions Correctly

• Use a consent tool for non-essential cookies and tracking technologies and don’t drop them until consent is captured.
• For email and SMS marketing, check whether the “soft opt-in” applies, keep records, and always offer easy opt-outs.
• Make sure your cookie banner and controls are genuinely granular and easy to reject.

Your website should include an accurate Cookie Policy and a consent banner that meets UK expectations - build it in line with the practical pointers in our guide to cookie banners that comply.

5) Prepare For Incidents Before They Happen

• Establish an internal playbook for detecting, assessing and escalating potential breaches.
• Define roles, set a 72‑hour clock for ICO assessments, and keep template communications ready for affected individuals.
• Run tabletop exercises so your team knows what to do under pressure.

Document the process in a practical Data Breach Response Plan and ensure it links to your security controls, vendor contacts and legal sign‑off pathways.

6) Build A Reliable Process For Data Subject Rights

• Have a clear intake channel and triage steps for Subject Access Requests, erasure requests, and objections.
• Verify identity, scope the request, search properly across systems, and respond within statutory timeframes.
• Where exemptions apply, document your reasoning carefully and keep an audit trail.

If you’re formalising your approach, our resources on Subject Access Requests and SAR deadlines outline the key steps and timelines expected by the ICO.

7) Don’t Forget High-Risk Processing And Transfers

• Carry out Data Protection Impact Assessments (DPIAs) for high-risk processing (e.g. large-scale monitoring or handling sensitive data).
• For international transfers, use approved mechanisms (such as the UK International Data Transfer Agreement or Addendum) and complete risk assessments.
• Align vendor onboarding with your transfer rules so you don’t slip into unlawful exports.

If you’re looking for a structured compliance build, many SMEs benefit from a scoped GDPR package that prioritises the highest-risk gaps first and sets up realistic, repeatable processes.

What Happens If There Is A Breach? Timeline And Reporting Duties

If you experience a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If there’s a high risk to individuals, you must also inform them directly and promptly.

In practice, that means:

• Rapid assessment - confirm whether personal data was compromised, which categories, and how many people are affected.
• Containment - isolate affected systems, reset credentials, revoke access, and engage your IT/security support.
• Legal triage - decide whether the breach is notifiable to the ICO and/or to affected individuals, and prepare the required content.
• Documentation - record the facts, effects and remedial action taken (even if you decide not to notify).
• Post-incident actions - learn the lessons, update controls, and review any systematic issues with vendors or internal processes.

Well-prepared businesses move through these steps confidently and can demonstrate accountability - a factor that can significantly reduce enforcement risk.

Common Misconceptions About GDPR Fines

“We’re Too Small To Be Fined”

Size doesn’t exempt you. The ICO’s role is to protect individuals’ rights across the board. Smaller organisations often process less data, which can lower risk - but mishandling sensitive information, unlawful marketing, or ignoring rights requests can still trigger enforcement.

“It Was An Accident - So We’re Safe”

Intent matters, but negligence can still lead to fines. If training, policies and controls were absent or clearly inadequate, “accidental” won’t carry much weight.

“If We Fix It Quickly, We Don’t Need To Report”

Containment is great, but the test for notification is risk to individuals, not how quickly you patched the issue. Assess objectively and document your reasoning either way.

“Our Vendors Handle All Of This”

Using processors doesn’t remove your accountability. You must select appropriate vendors, sign a compliant contract, and supervise their processing. Make sure your Data Processing Agreement and onboarding process are doing the heavy lifting here.

Checklist: Documents And Processes That Impress The ICO

When the ICO asks questions, being able to point to concrete, well-implemented measures often makes the difference. Consider putting these in place:

• A current, accurate Privacy Policy that reflects your actual data use.
• Records of processing activities (what data you handle, purposes, recipients, retention, safeguards).
• A robust Data Breach Response Plan and incident logs.
• Vendor governance with signed Data Processing Agreements and transfer safeguards.
• A compliant cookie banner and a website Cookie Policy.
• Documented retention schedules aligned with your data retention periods.
• Clear procedures for Subject Access Requests and other data subject rights.
• Training records, security policies and evidence of routine checks or audits.

Key Takeaways

• The maximum fine for a GDPR breach in the UK is tiered: up to £17.5m or 4% of worldwide turnover for core principle and rights breaches, and up to £8.7m or 2% for other infringements - whichever is higher.
• What is the maximum fine the ICO can impose on your business depends on the breach category, the harm caused, your intent, your cooperation, and the maturity of your compliance framework.
• Small businesses aren’t exempt. Even where fines are lower, the knock-on costs - reputation, remediation, lost time - can be significant.
• Strong basics reduce risk: data mapping and lawful bases, security and training, vendor contracts, transparent notices, cookie consent, retention hygiene, and a tested incident response plan.
• Prepare for rights requests and breaches before they happen - reliable processes for SARs and a 72‑hour breach triage make a meaningful difference in ICO outcomes.
• Prioritise high-risk areas first and consider a staged compliance build so you’re protected from day one and ready to grow confidently.

If you’d like help assessing your risk or putting practical GDPR documentation in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.