Maximum GDPR Fine For Non-Compliance In The UK (And How To Reduce Risk)

If you run a small business, GDPR can feel like one of those “big company” problems - until you start collecting customer enquiries, running email marketing, storing staff records, or using cloud software to manage your day-to-day work.

Then the question becomes very real (and very practical): what is the maximum fine for GDPR non-compliance in the UK, and how do you make sure your business doesn’t become an expensive cautionary tale?

In this guide, we’ll break down the maximum fines, how the Information Commissioner’s Office (ICO) tends to approach enforcement, and the sensible, step-by-step ways you can reduce your risk (without drowning in legal jargon).

What Is The Maximum Fine For GDPR Non-Compliance In The UK?

Under the UK GDPR (and the Data Protection Act 2018), the maximum fine for GDPR non-compliance depends on what type of breach has occurred.

In simple terms, there are two main “tiers” of administrative fines.

Higher-Tier Fines: Up To £17.5 Million Or 4% Of Global Turnover

The higher tier is the one most people have heard of. For the most serious breaches, the maximum fine is:

• Up to £17.5 million, or
• Up to 4% of your total worldwide annual turnover (global revenue),

whichever is higher.

For many small businesses, 4% of global turnover may sound less scary than £17.5 million - but it can still be a very painful hit, especially when you add the indirect costs like downtime, reputational damage, and professional fees.

These higher-tier fines are generally reserved for breaches involving the core principles of data protection. Examples include:

• Processing personal data without a valid lawful basis
• Ignoring individuals’ rights (like access or deletion requests) in a serious way
• Unlawfully transferring data internationally (for example, without appropriate safeguards where required)
• Major failures involving special category data (like health information) without proper protections

Lower-Tier Fines: Up To £8.7 Million Or 2% Of Global Turnover

The second tier is still significant. For other types of breaches, the maximum fine is:

• Up to £8.7 million, or
• Up to 2% of total worldwide annual turnover,

whichever is higher.

These tend to cover failures around “mechanics” and operational compliance, such as:

• Not keeping the right records (where required)
• Failing to put appropriate contracts in place with data processors
• Failing to notify the regulator or individuals when a notifiable breach occurs
• Certain security and confidentiality failings (depending on the facts)

A Quick Note For Small Businesses

Even if you assume the “maximum fine” is unlikely, it’s not safe to treat GDPR as optional. The ICO can take other action too (like enforcement notices), and data incidents can trigger customer complaints, supplier disputes, and costly operational disruption.

In other words: GDPR risk is not just about the headline fine. It’s about business continuity and trust.

What “The Fines Which Can Be Imposed Under GDPR Are” (In Plain English)

When people search for the phrase “the fines which can be imposed under GDPR are”, they’re often trying to understand what the regulator can actually do in the real world.

Broadly, the ICO has a range of enforcement tools. A monetary penalty is just one of them.

The ICO Can Issue Administrative Fines

These are the headline numbers we covered above (up to £17.5m/4% or £8.7m/2%). Whether a fine is imposed - and how large it is - depends heavily on the circumstances.

The ICO Can Issue Enforcement Notices

An enforcement notice can require you to stop a certain type of processing, change your practices, implement specific security measures, or take other corrective action.

For a small business, an order to stop processing can be just as damaging as a fine - because it can hit your ability to trade, market, or deliver services.

The ICO Can Issue Reprimands And Warnings

Sometimes the ICO may issue a reprimand (a formal statement that you’ve breached the law) even if a fine isn’t applied. This can still matter, particularly if you work in a sector where trust is everything (health, childcare, finance, professional services, or any customer-facing business).

Individuals Can Also Seek Compensation

Separate to ICO action, individuals may be able to claim compensation if they’ve suffered damage because of a data protection breach. That can add another layer of exposure, especially if many people are affected.

So, while you might be focusing on maximum fines for GDPR breaches, it’s worth zooming out and treating GDPR as part of your broader risk management.

How Does The ICO Decide Whether To Fine You (And How Much)?

A common misconception is that GDPR fines are automatic. They’re not.

The ICO generally looks at the overall situation, including how serious the issue is and how you behaved before, during, and after the incident.

Here are some of the factors that commonly affect whether you get a fine for a data protection breach, and what level it might be set at:

1) The Nature And Severity Of The Breach

• How many people were affected?
• What type of data was involved (basic contact details vs health data)?
• Did the breach create a real risk of harm (identity theft, financial loss, distress)?

2) Whether You Took “Appropriate Technical And Organisational Measures”

GDPR doesn’t require perfect security - but it does require appropriate security, considering your business size, what data you hold, and the risks involved.

This is where good internal processes matter just as much as the tech itself.

3) Your Level Of Responsibility And Culture Of Compliance

The ICO will usually look at whether you had basic compliance foundations in place, such as:

• Clear privacy information for customers and website users
• Appropriate training and access controls
• Processor contracts where you outsource processing
• A plan for handling data incidents

Having clear, accurate privacy information (often through a Privacy Policy) that reflects what you do (and not a copy-paste template) is a practical part of those foundations.

4) Whether You Cooperated (And How Fast You Responded)

If something goes wrong, speed and transparency matter. A delayed response, missing records, or unclear internal ownership can quickly make an incident feel more serious than it needed to be.

This is one reason many businesses keep a practical Data Breach Response Plan ready to go, so you’re not making decisions in a panic.

5) Whether The Breach Was Repeated Or Preventable

Repeat problems, ignored warnings, or “we knew about this but didn’t fix it” situations tend to raise the stakes.

On the flip side, if you can show you took reasonable steps and the incident happened despite those efforts, that context can make a difference.

Common GDPR Non-Compliance Risks For Small Businesses (And Where Fines Can Come From)

Most small businesses aren’t trying to do the wrong thing. The risk usually comes from busy operations, informal processes, and tools that have grown quickly over time.

Here are some of the most common triggers for a data protection breach fine risk - and practical examples of how they show up in real businesses.

Using Customer Data Without A Proper Lawful Basis

Examples might include:

• Adding people to a marketing list just because they enquired
• Using customer details collected for delivery to later target them with unrelated marketing
• Collecting more personal information than you actually need

It’s not that marketing is “banned” - it’s that you need to align what you’re doing with a lawful basis and be clear with people about how their data will be used.

Weak Contracts With Suppliers And SaaS Providers

If you use third parties to process personal data (for example, cloud storage, CRM systems, payroll providers, marketing platforms), you may need GDPR-compliant terms in place.

For many businesses, that means having an appropriate Data Processing Agreement (or processor clauses) to cover the required points.

Security And Access Issues

This is a big one - and it doesn’t always mean “hacking”. Data incidents can happen through:

• Shared inboxes with no access controls
• Weak passwords or lack of MFA
• Staff downloading customer lists onto personal devices
• Sending emails to the wrong recipient (especially with attachments)

Even simple rules about device use, passwords, and acceptable behaviour can reduce risk - and they’re easier to enforce when they’re written down in something like an Acceptable Use Policy.

Not Knowing What Data You Hold (Or Why You Hold It)

A lot of GDPR compliance comes down to being able to answer these questions quickly:

• What personal data do we collect?
• Where is it stored?
• Who can access it?
• Why do we need it?
• How long do we keep it?

If you can’t answer these, it becomes much harder to respond to an individual rights request, a complaint, or a breach event.

Mishandling Employee Data

Small businesses often build GDPR around customers and forget that staff data is personal data too.

If you’re collecting ID documents, health-related information (even basic sick leave details), or performance notes, you’ll want processes that align with your HR documentation and your wider employment approach. This is also where a clear Staff Handbook can help set expectations and reduce messy “informal” handling of sensitive information.

How Can Businesses Reduce GDPR Fine Risk? A Practical Compliance Checklist

The best way to think about GDPR is not “how do we avoid punishment?” but “how do we run our business in a way that’s safe, organised, and trusted?”

Here are practical steps that can significantly reduce your risk of GDPR non-compliance - and help you defend your position if something goes wrong.

1) Map Your Personal Data (Keep It Simple But Real)

You don’t need a 40-page manual. But you do need a working understanding of:

• The types of personal data you collect (customers, leads, suppliers, staff)
• Where it comes from (website forms, email, phone, bookings, payments)
• Where it’s stored (laptops, cloud drives, CRM, accounting platforms)
• Who it’s shared with (delivery partners, payroll providers, marketing tools)

This exercise tends to uncover “hidden risk” quickly - such as personal data living in spreadsheets on personal devices.

2) Get Your Privacy Information And Consent Settings Right

Make sure your privacy information is:

• Easy to find (especially online)
• Written in plain English
• Accurate for what your business actually does
• Updated when your tools or marketing practices change

If your website collects enquiries, takes payments, or uses tracking cookies, this is often the first place customers (and regulators) will look when there’s a complaint.

3) Put The Right Contracts In Place With Processors

If another business is processing personal data on your behalf, you may need the right contractual terms to meet UK GDPR requirements.

This is particularly relevant for:

• Payroll and HR platforms
• Email marketing tools
• Customer support platforms
• Cloud storage and shared drives

It’s often not enough to rely on informal arrangements - you want written obligations around security, breach reporting, sub-processors, and how data is handled when the relationship ends.

4) Strengthen Your Security (In A Way That Matches Your Size)

“Appropriate security” will differ between a local café with a mailing list and an online service business holding sensitive client records.

However, common best practices include:

• Using strong, unique passwords and multi-factor authentication
• Limiting access to those who actually need it
• Encrypting devices where possible
• Backing up data securely
• Keeping software updated
• Having a clear process for leavers (removing access quickly)

5) Train Your Team (Because Most Breaches Are Human)

A lot of GDPR risk isn’t about bad intent - it’s about mistakes under pressure.

Staff should know:

• What to do if they think a breach has happened
• How to spot phishing or suspicious emails
• How to handle customer information safely (especially when emailing attachments)
• When to escalate issues internally

If you’re starting to use AI tools at work (for example, to summarise notes or draft communications), it’s also worth having a clear internal position on what can and can’t be entered into AI tools, ideally reflected in a Generative AI Use Policy.

6) Be Ready For A Data Breach Before It Happens

If a breach happens, having a plan can be the difference between a contained incident and a spiralling crisis.

Your plan should cover:

• Who is responsible for breach triage and decision-making
• How you investigate and contain the issue
• How you decide if it’s notifiable to the ICO
• How you notify affected individuals (if required)
• How you document what happened and what you changed afterwards

This is one of those areas where it’s much easier to get right when you’re calm - not when you’re dealing with an urgent customer complaint and a ticking deadline.

7) Consider A “Compliance Pack” Approach (Rather Than Random Documents)

GDPR compliance tends to work best when it’s consistent: your privacy information, contracts, policies, and staff processes should match each other.

Depending on your business model, it can be worth putting a cohesive package in place - rather than patching one policy at a time - so you can be confident you’re covered from day one. For some businesses, a structured GDPR package can be a practical way to reduce gaps and keep everything aligned.

Key Takeaways

• The maximum fine for GDPR non-compliance in the UK depends on the breach: up to £17.5 million or 4% of global turnover for serious breaches, and up to £8.7 million or 2% of global turnover for other breaches.
• GDPR enforcement risk isn’t only about fines - enforcement notices, reputational damage, and operational disruption can also hit small businesses hard.
• The ICO typically considers severity, preventability, security measures, cooperation, and whether the issue is repeated when deciding on a GDPR fine.
• Common small business risks include unclear lawful bases for marketing, weak processor arrangements, poor access controls, and informal handling of staff/customer data.
• You can reduce the risk of a GDPR fine by mapping your data, tightening security, training staff, using appropriate processor contracts, and having a breach response plan ready before you need it.

If you’d like help getting your GDPR foundations in place (or stress-testing what you already have), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.