UK

How much can the ICO fine a company for a GDPR breach?

£17.5 million
Maximum fine
4%
Of global turnover
2 tiers
Fine categories
s. 157
DPA 2018 section
The Short Answer

The ICO can fine a company up to £17.5 million or 4% of its global annual turnover — whichever is higher — for the most serious GDPR breaches.

What the Law Says

The Data Protection Act 2018 gives the Information Commissioner’s Office (ICO) its enforcement powers for breaches of data protection law in the UK, including the UK GDPR.

Under section 157 of the Data Protection Act 2018, the ICO has the power to issue monetary penalties for failures to comply with data protection principles, security obligations, or breach notification requirements.

The amount of the penalty depends on the seriousness of the breach, the nature of the personal data involved, whether the breach was intentional or negligent, and the organisation’s efforts to mitigate harm.

Penalties are split into two tiers: the lower tier applies to less serious breaches (e.g., record-keeping failures) and carries a maximum of £8.7 million or 2% of global annual turnover; the higher tier applies to the most serious violations (e.g., failing to uphold core GDPR principles) and carries a maximum of £17.5 million or 4% of global annual turnover — whichever is higher.

Statutory Text

The Commissioner may serve a notice imposing a monetary penalty on a person if the Commissioner is satisfied that the person has committed a relevant infringement.

Data Protection Act 2018, s. 157 — Power to impose monetary penalties

What to Do

1

Assess whether your organisation has experienced a personal data breach that meets the threshold for reporting under UK GDPR (i.e., likely to result in risk to individuals’ rights and freedoms).

2

Notify the ICO within 72 hours of becoming aware of the breach, unless it is unlikely to result in such risk.

3

Document the breach thoroughly, including its cause, scope, impact, and remedial actions taken.

4

Cooperate fully with any ICO investigation — transparency and prompt action can reduce the likelihood or size of a penalty.

5

Review and update your data protection policies, staff training, and technical measures to prevent future breaches.

Sources

statuteData Protection Act 2018, s. 157 — Power to impose monetary penalties

Same Question, Other Jurisdictions

GermanySingaporeEuropean UnionSouth KoreaIndiaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.