UK ICO GDPR enforcement actions
A neutral, factual record of how the UK Information Commissioner's Office enforces data protection law. This tracker aggregates 150 published ICO actions — 50 monetary penalties totalling £41,682,773, plus 50 reprimands, 44 enforcement notices and 5 prosecutions — broken down by sector and year.
By the numbers
Totals computed directly from the published ICO actions in this dataset (8 Jun 2023 to 29 May 2026).
GDPR fine risk by sector
Pick a sector to see the ICO actions actually recorded against it. Every figure is a published outcome from the dataset — this is a factual lookup, not a predictive score.
See the ICO actions actually recorded against this sector in the dataset. All figures are published ICO outcomes — not a prediction.
- Share of this sector's actions that were monetary penalties
- 45%
- Share of all recorded fines in this dataset
- 2%
Across the 150 actions in this dataset, the ICO recorded 50 monetary penalties totalling £41,682,773. Reprimands, enforcement notices and prosecutions carry no ICO fine and are counted as actions only. These are historical published outcomes and do not indicate the likelihood of any future action.
Browse by sector
Marketing
20 actions · 9 penalties · £855,000 in fines
Finance insurance and credit
19 actions · 8 penalties · £675,000 in fines
Criminal justice
16 actions · 1 penalties · £750,000 in fines
General business
16 actions · 8 penalties · £5,865,000 in fines
Local government
11 actions · 0 penalties · £0 in fines
Health
9 actions · 0 penalties · £0 in fines
Utilities
8 actions · 5 penalties · £1,703,900 in fines
Online technology and telecoms
5 actions · 4 penalties · £16,018,373 in fines
Central government
4 actions · 1 penalties · £350,000 in fines
Charitable and voluntary
3 actions · 2 penalties · £25,500 in fines
Retail and manufacture
3 actions · 2 penalties · £180,000 in fines
Education and childcare
2 actions · 0 penalties · £0 in fines
Legal
2 actions · 0 penalties · £0 in fines
Land or property services
1 actions · 0 penalties · £0 in fines
Media
1 actions · 0 penalties · £0 in fines
Monetary penalties, Criminal justice
1 actions · 0 penalties · £0 in fines
Political
1 actions · 0 penalties · £0 in fines
Transport and leisure
1 actions · 0 penalties · £0 in fines
Most recent actions
The 25 most recently published ICO actions in this dataset. Each row links to the original ICO notice.
| Date | Organisation | Action | Fine | Sector | Source |
|---|---|---|---|---|---|
| 29 May 2026 | Debbie Okparavero and Maliha Islam - Proceeds of Crime Act | Prosecution | — | — | ICO notice |
| 15 May 2026 | Rizwan Manjra - Proceeds of Crime Act | Prosecution | — | — | ICO notice |
| 7 May 2026 | South Staffordshire Plc and South Staffordshire Water Plc | Monetary penalty | £963,900 | Utilities | ICO notice |
| 21 Apr 2026 | SA Assistance Ltd | Enforcement notice | — | General business | ICO notice |
| 30 Mar 2026 | Energy Prices Direct Limited | Monetary penalty | £160,000 | Utilities | ICO notice |
| 23 Feb 2026 | Reddit, Inc. | Monetary penalty | £14,472,500 | Online technology and telecoms | ICO notice |
| 20 Feb 2026 | The Commissioner of Police for the City of London | Reprimand | — | Criminal justice | ICO notice |
| 11 Feb 2026 | Christopher Munro and William Chipoma | Prosecution | — | — | ICO notice |
| 4 Feb 2026 | MediaLab.AI, Inc. | Monetary penalty | £247,590 | Online technology and telecoms | ICO notice |
| 3 Feb 2026 | TMAC Ltd | Enforcement notice | — | General business | ICO notice |
| 3 Feb 2026 | TMAC Ltd | Monetary penalty | £100,000 | General business | ICO notice |
| 15 Jan 2026 | Allay Claims Ltd | Enforcement notice | — | Finance insurance and credit | ICO notice |
| 15 Jan 2026 | Allay Claims Ltd | Monetary penalty | £120,000 | Finance insurance and credit | ICO notice |
| 16 Dec 2025 | Staines Health Group | Reprimand | — | Health | ICO notice |
| 12 Dec 2025 | Police Service of Scotland | Reprimand | — | Monetary penalties, Criminal justice | ICO notice |
| 11 Dec 2025 | ZMLUK Limited | Monetary penalty | £105,000 | Marketing | ICO notice |
| 2 Dec 2025 | Post Office Limited | Reprimand | — | — | ICO notice |
| 20 Nov 2025 | LastPass UK Ltd | Monetary penalty | £1,228,283 | Online technology and telecoms | ICO notice |
| 6 Nov 2025 | Lead Pronto Ltd | Monetary penalty | — | Marketing | ICO notice |
| 6 Nov 2025 | Lead Pronto Ltd | Enforcement notice | — | Marketing | ICO notice |
| 15 Oct 2025 | Capita plc and Capita Pension Solutions Ltd | Monetary penalty | £14,000,000 | — | ICO notice |
| 9 Oct 2025 | South Wales Police | Enforcement notice | — | Criminal justice | ICO notice |
| 8 Oct 2025 | Qonain Hussain | Prosecution | — | — | ICO notice |
| 16 Sept 2025 | Bharat Singh Chand | Monetary penalty | £200,000 | — | ICO notice |
| 16 Sept 2025 | Bharat Singh Chand | Enforcement notice | — | — | ICO notice |
Source: ICO (Information Commissioner's Office) — Enforcement action. Contains public sector information licensed under the Open Government Licence v3.0. Showing 150 of 210 published actions, retrieved 2026-06-18. Figures are historical ICO outcomes presented neutrally and are not legal advice.
GDPR enforcement FAQ
- What is the UK ICO and what enforcement powers does it have?
- The Information Commissioner’s Office (ICO) is the UK’s independent data protection regulator. Under the UK GDPR, the Data Protection Act 2018 and PECR it can issue monetary penalties (fines), reprimands, enforcement notices requiring specific action, and bring prosecutions. Not every action carries a fine — reprimands, enforcement notices and prosecutions are recorded as actions without an ICO monetary penalty.
- How large can a UK GDPR fine be?
- Under the UK GDPR the maximum penalty for the most serious infringements is the higher of £17.5 million or 4% of total annual worldwide turnover. Less serious infringements are capped at the higher of £8.7 million or 2% of turnover. Actual fines published by the ICO vary widely with the facts of each case.
- Which sectors see the most ICO enforcement action?
- In this dataset, marketing, finance/insurance/credit, criminal justice, general business and local government appear most frequently. The by-sector pages show the exact recorded action count and total fines for each sector — see the breakdown below.
- Where does this enforcement data come from?
- Every action is taken from the ICO’s published "Action we’ve taken" enforcement listing and the linked Monetary Penalty Notices. Fine amounts are recorded only where the ICO confirms a monetary penalty figure. The data is licensed under the Open Government Licence v3.0 and presented neutrally.
- How can a business reduce its GDPR fine risk?
- The articles most cited in these notices — Article 5(1)(f) and Article 32 (security of processing) and PECR regulation 22 (direct marketing consent) — point to the same fundamentals: a lawful basis for every processing activity, demonstrable security controls, valid consent for marketing, and a tested breach-response process. A structured GDPR audit maps your data flows against these obligations and produces a prioritised remediation plan.
Stay off the ICO's enforcement list
GeraCompliance's fixed-scope GDPR sprint maps your data flows, finds your gaps against the same articles cited in these notices, and gives you a prioritised remediation plan — in days, not months.