What Are the Biggest Fines Handed Down by the ICO in England?

Summary

• The ICO can issue substantial fines for GDPR breaches including data breaches, unlawful staff monitoring, excessive data retention, failure to process Subject Access Requests, and failure to report serious breaches within 72 hours, with the five largest fines totalling nearly £50 million.
• High-profile cases including British Airways (£20 million), Marriott Hotels (£18.4 million), and Clearview AI (£7.5 million) demonstrate that inadequate IT security, failure to prevent cyber attacks, and collecting personal data without consent can result in significant financial penalties.
• Businesses can reduce their risk of ICO fines by implementing protective passwords, anti-virus software, clear data storage and deletion policies, Subject Access Request procedures, and regular staff training on data protection obligations.
• This article is a guide to ICO fines and GDPR compliance for businesses in the UK, explaining what triggers enforcement action and the practical steps businesses can take to avoid data breaches.
• LegalVision is a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.

Tips for Businesses

Implement robust IT security measures including password protection and anti-virus software, and establish clear written policies for data storage, retention, and deletion. Train staff annually on GDPR obligations and ensure serious data breaches are reported to the ICO within 72 hours. Review ICO guidance regularly to maintain ongoing compliance.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• When Will the ICO Issue Fines?
• Largest Fines Awarded by the ICO 
• Are All ICO Fines Significant?
• Key Takeaways
• Frequently Asked Questions

The ICO has issued fines totalling nearly £50m against some of the UK’s most recognisable organisations for breaching the GDPR, and no business is immune from scrutiny. Understanding what triggers an ICO fine and how to prevent a data breach is essential for protecting your business. This article will explore some of the largest fines the ICO has issued to organisations in recent years and the precautionary measures your business can implement to avoid a significant personal data breach.

When Will the ICO Issue Fines?

The GDPR is essential to UK law and data and privacy protection. Consequently, any severe breach should result in serious consequences. The Information Commissioner’s Office (ICO) is the primary body responsible for investigating data breaches and handing down fines. 

The ICO may issue a fine against your company if it:

• commits a data breach involving the personal data of individuals;
• carries out unlawful monitoring of staff and third parties on your premises;
• stores sensitive information for too long without good reason;
• fails to answer or correctly process Subject Access Requests (SARs);
• fails to report a serious data breach to the ICO within 72 hours;
• fails to store personal information concerning staff and customers safely; or
• unlawfully leaks personal or sensitive information to others without the consent of the individuals it belongs to. 

Largest Fines Awarded by the ICO 

Currently, the five largest fines issued by the ICO for breach of data protection law add up to nearly £50m. That is a sizeable proportion of the annual global turnover for the organisations affected. The ICO chose those figures to deter organisations from failing to take sufficient security measures concerning customer data in the future.

Let us run through each fine and the nature of the UK GDPR breach below.

British Airways Fine: £20m

The ICO found that British Airways lacked adequate security measures to guard against cyber attacks. Eventually, this led to a cyber attack in 2018, which took British Airways over two months to find. Here, the fine was so significant because adequate IT security would have prevented the cyber attack, which subsequently leaked the personal and financial details of more than 425,000 customers.

This currently stands as the ICO’s largest fine to date.

Marriott Hotels Fine: £18.4m

In 2018, the ICO discovered that a 2014 cyber attack had leaked 339 million guest records worldwide. They concluded that Marriott Hotels failed to protect the stolen data adequately. Given that the stolen information contained names, phone numbers, email addresses and passport numbers, the ICO felt it essential to provide a considerable fine.

In this case, the Information Commissioner said, “Personal data is precious and businesses have to look after it.”

Clearview AI Fine: £7.5m (approx.)

The ICO fined Clearview AI just over £7.5m for collecting images from the internet and social media for a global face recognition network. Clearview AI obtained the photos without the consent of individuals. Since their global database contained approximately 20 billion images, this was a significant breach of GDPR rules.

Ticketmaster Fine: £1.25m

The ICO found that Ticketmaster had failed to ensure appropriate security on its electronic payment page on its website. Consequently, hackers obtained sensitive financial information including names, credit card numbers and CVV relating to 1.5 million UK citizens.

Cabinet Office Fine: £500k

The ICO awarded this fine to the Cabinet Office for the well-publicised postal address leak of the 2020 New Year Honours recipients. Accordingly, the failure to protect this information led to the leaking of over 1000 home addresses online. Furthermore, many high-profile individuals were among the victims.

Are All ICO Fines Significant?

Not all ICO-issued fines will be significant. However, the examples above reflect the substantial harms caused by data breaches and the ICO’s strict consequences for non-compliance. Accordingly, ensure your business has strong measures in place to store critical data and safely delete information if need be.

For example, ensure your business has:

• protective passwords to secure information;
• anti-virus software against potential hackers;
• clear policies relating to how your business stores, manages and deletes information;
• procedures for individuals to request information relating to them; and
• other relevant measures that are reasonable to install.

Data breaches can happen to any business, regardless of its size. On the whole, the surest way to protect yourself and avoid ICO-issued fines is by taking active steps to protect your data.

Key Takeaways

The ICO stresses that it will use its powers of financial penalty when justified. The organisation is strict regarding failures in IT security or noticing cyber attacks. However, the ICO are generally lenient toward smaller companies and businesses they are investigating for the first time.

The best advice to protect your commercial interests and avoid ICO-issued fines is to comply with all data protection rules. You can do this by reviewing the guidance documents on the ICO website, including the ICO Employment Practices Code.

If you need help with data protection rules and ICO investigations into alleged breaches of the GDPR, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced Data, Privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.

Frequently Asked Questions