What Is the Maximum Fine for a GDPR Breach in the UK?

If your business handles personal data, GDPR compliance isn’t optional - it’s essential. And when something goes wrong, the first question many founders ask is simple: what is the maximum fine for a GDPR breach in the UK?

Don’t panic - most fines aren’t at the maximum. But understanding the upper limits and how the ICO actually decides penalties will help you manage risk and prioritise the right safeguards from day one.

In this guide, we’ll break down the maximum penalties under UK GDPR, the factors the ICO considers, common triggers for small businesses, and the practical steps you can take to protect your business.

What Is The Maximum Fine Under UK GDPR?

Under the UK GDPR (retained GDPR) and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) can issue two tiers of administrative fines for data protection breaches:

• Higher tier: up to £17.5 million or 4% of your global annual turnover (whichever is higher).
• Standard tier: up to £8.7 million or 2% of your global annual turnover (whichever is higher).

These are maximums, not starting points. The higher tier generally applies to the most serious infringements - for example, violations of key principles like lawfulness, fairness and transparency; failing to respect data subject rights; or unlawful international transfers. The standard tier usually covers more procedural obligations, such as certain record-keeping failures or not notifying the ICO of a breach when required.

It’s also worth noting that some privacy-related breaches are enforced under different rules. For example, direct marketing by email, SMS or phone is regulated by the Privacy and Electronic Communications Regulations (PECR). Currently, PECR carries separate penalties (historically up to £500,000), and PECR enforcement often runs alongside UK GDPR duties such as having a lawful basis and providing clear opt-outs. Government proposals have signalled tougher PECR penalties in future, so it’s wise to treat marketing compliance as a high priority now.

What Triggers These Fines? Common GDPR Pitfalls For SMEs

Most small businesses aren’t intentionally ignoring the law - breaches often happen because processes haven’t kept up with growth. Here are the issues we see most often:

• No lawful basis for processing: collecting or using personal data without a clear lawful basis (like consent or legitimate interests) or failing to document your assessment.
• Poor transparency: missing, outdated or unclear privacy information (e.g. no readily available Privacy Policy) so people don’t understand what you’re doing with their data.
• Security gaps: inadequate technical or organisational measures to keep data safe - weak access controls, poor password practices, no encryption, or unpatched software.
• Processor risks: using third‑party tools or service providers without a proper written Data Processing Agreement or checks on their security and sub‑processors.
• Marketing mistakes: sending unsolicited emails or texts, not honouring objections to marketing, or misusing “legitimate interests” for direct marketing without doing the balancing test. Make sure your marketing practices align with email marketing laws and PECR.
• Subject access delays: missing the one‑month deadline for subject access requests (SARs) or giving incomplete responses. Timeframes matter - see the rules around SAR deadlines.
• Late or missed breach reports: failing to notify the ICO within 72 hours when a reportable personal data breach occurs, or not informing affected individuals when risk is high.
• International transfers: transferring personal data overseas without appropriate safeguards (e.g. UK IDTA, EU SCCs plus UK addendum).

Individually, a slip-up might attract a reprimand or corrective action rather than a fine. But repeated problems, higher risk to individuals, or evidence of neglect can push things up the seriousness scale quickly.

How Does The ICO Decide The Amount? Key Factors And The Calculation Approach

The ICO doesn’t automatically jump to the maximum. Instead, it assesses the specific circumstances of your case and follows a structured approach to determine a proportionate penalty. In plain language, the ICO looks at:

• Nature, gravity and duration: How serious was the infringement, how long did it last and how many people were affected?
• Type of data: Did it involve special category data (e.g. health data) or children’s data, which attracts higher protection?
• Harm and risk: Did individuals suffer financial loss, distress or other damage? What’s the likelihood and severity of harm?
• Intent or negligence: Was it deliberate or the result of a lack of reasonable care?
• Mitigation: What did you do to reduce harm once you discovered the issue?
• Accountability and culture: Do you have appropriate policies, training and records? Are you able to evidence compliance, or is there a pattern of non‑compliance?
• Cooperation: Did you cooperate with the ICO’s investigation and comply with directions?
• Past infringements: Have you been warned or penalised before for similar issues?
• Financial position: The ICO considers proportionality - fines should be effective, dissuasive and not excessive.

The ICO may issue a preliminary notice first, giving you a chance to make representations before the penalty is finalised. In many cases, prompt, well‑documented remedial action and a cooperative approach can significantly reduce the penalty.

Are Fines The Only Risk? Other Orders And Legal Exposure

Administrative fines are just one tool the regulator can use. Depending on the breach, you could also face:

• Reprimands or warnings: formal statements that you’ve breached the law, often published on the ICO’s site.
• Enforcement notices: legally binding directions to change your practices - for example, stop processing certain data, improve security, or update your privacy information.
• Stop‑processing or deletion orders: instructions to suspend activities or erase data processed unlawfully.
• Compensation claims: individuals can bring claims for material and non‑material damage (e.g. distress) caused by a breach.
• Contractual and reputational fallout: clients may terminate contracts or seek damages if you breach data protection clauses, especially if you’re acting as a processor.

Marketing breaches under PECR can attract separate penalties and publicity, especially for unsolicited electronic marketing. If you rely on cookies or similar technologies, ensure you have a clear Cookie Policy and use consent tools that align with the guidance around cookie banners that comply.

What Practical Steps Reduce The Risk Of A Maximum GDPR Fine?

You can’t remove risk entirely, but you can make fines unlikely - and smaller if something goes wrong - by showing strong accountability. Focus on these building blocks.

1) Map Your Data And Set A Lawful Basis

• Maintain an up‑to‑date Record of Processing Activities (RoPA) so you know what you collect, why you use it, where it flows and how long you keep it.
• Identify a lawful basis for each purpose (consent, contract, legal obligation, vital interests, public task, or legitimate interests) and document your reasoning.
• Where relying on legitimate interests, do a balancing test and keep the assessment on file.

2) Be Transparent With A Clear Privacy Policy

• Give people concise, accessible privacy information at the point of collection, and host a comprehensive, plain‑English Privacy Policy on your website.
• Explain your purposes, lawful bases, retention times, third parties, international transfers, and people’s rights.

3) Put The Right Contracts In Place

• Whenever you use a processor (e.g. cloud tools, CRM, outsourced support), have a written Data Processing Agreement with mandatory UK GDPR clauses.
• If you exchange personal data with other controllers (e.g. partners, franchisees), document roles and safeguards in a Data Sharing Agreement.

4) Secure The Data You Hold

• Adopt proportionate technical measures: MFA, strong access controls, encryption (in transit and at rest), patching and backups.
• Use organisational measures: policies, onboarding/offboarding checklists, role‑based access, and regular staff training on phishing and safe handling.
• Run DPIAs (Data Protection Impact Assessments) for high‑risk processing - especially when using novel tech, monitoring staff, or processing special category data.

5) Respect People’s Rights And Timeframes

• Set up clear workflows for subject rights (access, erasure, rectification, objection, portability, restriction). Track deadlines and identity verification steps.
• Make sure customer‑facing teams know how to recognise a SAR and triage it promptly. If you need a refresher on time limits, review SAR response timescales.

6) Get Your Marketing And Cookies Right

• For email and SMS marketing, ensure you have the right consent or you qualify for a narrow “soft opt‑in”. Always provide an easy, effective opt‑out. Align your campaigns with email marketing laws.
• Use consent‑based cookie tools for non‑essential cookies and provide a clear Cookie Policy.

7) Prepare For The Worst With An Incident Plan

• Create and test a Data Breach Response Plan so you can contain incidents, assess risk, notify within 72 hours if needed, and communicate with affected individuals.
• Keep a breach register - even for minor near‑misses - and use lessons learned to harden controls.

8) Retain Data Only As Long As Needed

• Define retention periods that match your purposes and legal duties, then securely delete or anonymise when time’s up. For a practical overview, see guidance on data retention periods.

9) Bundle Your Compliance Essentials

• If you’re just getting started, consider a tailored set of privacy documents and processes in one place, such as a GDPR Package, so you’re protected from day one.

What Should You Do If You’ve Had A Data Breach?

Speed and structure matter. A calm, process‑driven response will protect people and your business - and it demonstrates accountability to the ICO.

1. Contain the incident. Isolate affected accounts or systems, revoke compromised credentials, and prevent further unauthorised access.
2. Assess the risk. Identify what personal data is involved, how many people are affected, and likely consequences (e.g. fraud risk, identity theft, distress). Special category or children’s data raises the stakes.
3. Decide on notification. If the breach is likely to result in a risk to people’s rights and freedoms, notify the ICO without undue delay and within 72 hours of becoming aware. If there’s a high risk, inform affected individuals too, in clear language.
4. Document everything. Even if you don’t notify, you must keep an internal record of the breach, your assessment and the measures taken.
5. Fix the root cause. Patch systems, update configurations, tighten access, refresh training - and record these improvements.
6. Review your contracts and notices. Ensure your Data Processing Agreements cover breach support and notification; confirm your Privacy Policy aligns with your actual practices.

If in doubt about whether to notify, it’s sensible to seek advice quickly. Late or incomplete notifications can create more problems than the incident itself.

Will A Small Business Ever Get The Maximum GDPR Fine?

It’s rare. The maximum penalties are designed for egregious, systemic or wilful non‑compliance affecting large numbers of people, or where an organisation ignores warnings and fails to improve. In practice, the ICO uses a range of tools - including reprimands, enforcement notices and proportionate fines - to drive better behaviour.

However, “rare” doesn’t mean “never”. A small business that processes sensitive data without safeguards, repeatedly spams customers despite complaints, or fails to report serious breaches could face significant penalties relative to its size. The best defence is to be able to evidence your compliance culture: policies, training, contracts, risk assessments and prompt action when issues arise.

Key Takeaways

• The maximum fine for a GDPR breach in the UK is up to £17.5m or 4% of global annual turnover (whichever is higher) for higher‑tier infringements, and up to £8.7m or 2% for standard‑tier infringements.
• Most penalties are far below the maximum - the ICO looks at seriousness, harm, type of data, intent, cooperation and your overall compliance posture.
• Fines aren’t the only risk. You can receive enforcement notices, orders to stop processing or delete data, and individuals may claim compensation.
• Reduce risk by documenting your lawful bases, publishing a clear Privacy Policy, using robust Data Processing Agreements, and securing data with sensible technical and organisational measures.
• Get marketing and cookies right under PECR and UK GDPR - align with email marketing laws, use compliant cookie tools and keep an up‑to‑date Cookie Policy.
• Prepare and test a Data Breach Response Plan, and make sure your team can recognise and handle SARs within the required timeframes.

If you’d like tailored help tightening your GDPR compliance, reviewing your privacy documents or responding to an incident, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.