Skip to content

What Are the Biggest Fines Handed Down by the ICO in England?

Table of Contents

The General Data Protection Regulation (GDPR) is England’s primary source of data protection rules. Therefore, it is essential for your business to comply with GDPR rules to avoid receiving a fine. The Information Commissioner’s Office (ICO) is an independent body empowered to fine organisations breaching the GDPR. This article will explore some of the largest fines the ICO has issued to organisations in recent years. While the large fines detailed in this article are rare, your business should consider precautionary measures you can implement to avoid committing a significant personal data breach.

When Will the ICO Issue Fines?

The GDPR is essential to UK law and data and privacy protection. Consequently, any severe breach should result in serious consequences. The Information Commissioner’s Office (ICO) is the primary body responsible for investigating data breaches and handing down fines. 

The ICO may issue a fine against your company if it:

  • commits a data breach involving the personal data of individuals;
  • carries out unlawful monitoring of staff and third parties on your premises;
  • stores sensitive information for too long without good reason;
  • fails to answer or correctly process Subject Access Requests (SARs);
  • fails to report a serious data breach to the ICO within 72 hours;
  • fails to store personal information concerning staff and customers safely; or
  • unlawfully leaks personal or sensitive information to others without the consent of the individuals it belongs to. 

Largest Fines Awarded by the ICO 

Currently, the five largest fines issued by the ICO for breach of data protection law add up to nearly £50m. That is a sizeable proportion of the annual global turnover for the organisations affected. The ICO chose those figures to deter organisations from failing to take sufficient security measures concerning customer data in the future.

Let us run through each fine and the nature of the UK GDPR breach below.

British Airways Fine: £20m

The ICO found that British Airways lacked adequate security measures to guard against cyber attacks. Eventually, this led to a cyber attack in 2018, which took British Airways over two months to find. Here, the fine was so significant because adequate IT security would have prevented the cyber attack, which subsequently leaked the personal and financial details of more than 425,000 customers.

This currently stands as the ICO’s largest fine to date.

Marriott Hotels Fine: £18.4m

In 2018, the ICO discovered that a 2014 cyber attack had leaked 339 million guest records worldwide. They concluded that Marriott Hotels failed to protect the stolen data adequately. Given that the stolen information contained names, phone numbers, email addresses and passport numbers, the ICO felt it essential to provide a considerable fine.

In this case, the Information Commissioner said, “Personal data is precious and businesses have to look after it.”

Clearview AI Fine: £7.5m (approx.)

The ICO fined Clearview AI just over £7.5m for collecting images from the internet and social media for a global face recognition network. Clearview AI obtained the photos without the consent of individuals. Since their global database contained approximately 20 billion images, this was a significant breach of GDPR rules.

Ticketmaster Fine: £1.25m

The ICO found that Ticketmaster had failed to ensure appropriate security on its electronic payment page on its website. Consequently, hackers obtained sensitive financial information including names, credit card numbers and CVV relating to 1.5 million UK citizens.

The Deputy Commissioner hoped that the £1.25m fine would “send a message to other organisations that looking after their customers’ personal details safety should be at the top of their agenda”.

Cabinet Office Fine: £500k

The ICO awarded this fine to the Cabinet Office for the well-publicised postal address leak of the 2020 New Year Honours recipients. Accordingly, the failure to protect this information led to the leaking of over 1000 home addresses online. Furthermore, many high-profile individuals were among the victims.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Are All ICO Fines Significant?

Not all ICO-issued fines will be significant. However, the examples above reflect the substantial harms caused by data breaches and the ICO’s strict consequences for non-compliance. Accordingly, ensure your business has strong measures in place to store critical data and safely delete information if need be.

For example, ensure your business has:

  • protective passwords to secure information;
  • anti-virus software against potential hackers;
  • clear policies relating to how your business stores, manages and deletes information;
  • procedures for individuals to request information relating to them; and
  • other relevant measures that are reasonable to install.

Data breaches can happen to any business, regardless of its size. On the whole, the surest way to protect yourself and avoid ICO-issued fines is by taking active steps to protect your data.

Key Takeaways

The ICO stresses that it will use its powers of financial penalty when justified. The organisation is strict regarding failures in IT security or noticing cyber attacks. However, the ICO are generally lenient toward smaller companies and businesses they are investigating for the first time.

The best advice to protect your commercial interests and avoid ICO-issued fines is to comply with all data protection rules. You can do this by reviewing the guidance documents on the ICO website, including the ICO Employment Practices Code.

If you need help with data protection rules and ICO investigations into alleged breaches of the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What can my company put forward as mitigating circumstances within any ICO investigation?

Your business could stress that it provides annual staff training on data protection rules, always makes a genuine effort to comply with the GDPR and that the impact of any breach was minor. If true, the ICO may require remedial action or reduce the fine level.

How often do the ICO award monetary penalties?

While it is rare for the ICO to award a maximum fine, they are not averse to punishing organisations for non-compliance with data protection principles. However, if the breach was minor and your company’s first offence, the ICO may choose not to issue a fine.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards