Maximum ICO Fines Under UK GDPR: What’s the Limit?

If you run a small business, “GDPR” can sometimes feel like a big-company problem - until you have a data incident, a customer complaint, or an unexpected email from the Information Commissioner’s Office (ICO).

One of the most common questions business owners ask is what the maximum fine the ICO can impose under UK GDPR actually is.

It’s a fair question. The maximums are eye-watering, but the real-world answer is a bit more nuanced than just quoting a number. The ICO doesn’t automatically jump to the maximum fine, and it will usually consider the size of your business, what went wrong, and what you did to prevent (and fix) the issue.

Below, we’ll break down the maximum fine amounts, what they mean in practice, how the ICO decides whether to fine you, and the practical steps you can take to reduce your risk.

What Does “Maximum Fine” Mean Under UK GDPR?

When people talk about “the maximum fine”, they usually mean the top-level penalty the ICO is allowed to impose for certain breaches of data protection law.

In the UK, the key legal framework is:

• The UK GDPR (the UK version of the General Data Protection Regulation); and
• The Data Protection Act 2018 (which sits alongside and supplements the UK GDPR).

The “maximum fine” is the ceiling for the most serious infringements. It doesn’t mean:

• you’ll automatically get fined if you make a mistake;
• you’ll automatically get the maximum; or
• the ICO can choose any number without a process.

In reality, the ICO generally uses a stepped approach. It may start with:

• engagement and guidance;
• requests for information;
• an audit or investigation;
• an enforcement notice (telling you to do or stop doing something); and then
• in more serious situations, a monetary penalty.

That said, it’s still important to know the maximums - because they set the risk level and signal how seriously the law treats different kinds of GDPR failures.

What Is The Maximum Fine The ICO Can Impose?

Under UK GDPR, there are two main tiers of maximum fines. Which tier applies depends on the type of breach.

Tier 1: Up To £8.7 Million Or 2% Of Global Annual Turnover

For certain infringements, the ICO can impose fines of up to the higher of:

• £8.7 million; or
• 2% of your total worldwide annual turnover (based on the preceding financial year).

This tier often covers “operational” or compliance-related obligations - still serious, but generally not the most fundamental principles of GDPR.

Examples of issues that can fall into this tier (depending on the details) include failures around:

• processor/controller contracts (for example, not having appropriate terms in place with suppliers who handle personal data);
• security obligations in practice; and
• some record-keeping and internal governance requirements.

Tier 2: Up To £17.5 Million Or 4% Of Global Annual Turnover

For the more serious infringements, the ICO can impose fines of up to the higher of:

• £17.5 million; or
• 4% of your total worldwide annual turnover (based on the preceding financial year).

This is the “headline” maximum most people are referring to when they ask about the maximum fine the ICO can impose.

These higher-tier fines are generally linked to breaches of the core GDPR principles and individual rights, such as:

• processing without a valid lawful basis;
• serious breaches of privacy rights;
• failing to respect core principles like fairness, transparency, and purpose limitation; and
• serious failures involving special category data (like health data) where additional protections apply.

What Does “Global Annual Turnover” Mean For Small Businesses?

Turnover-based fines matter most for larger organisations or corporate groups - because the “percentage of worldwide turnover” can exceed the fixed £17.5m figure.

It’s also worth noting that, in some cases, the turnover the ICO looks at can be based on the wider “undertaking” (for example, a corporate group), rather than just one company in isolation.

For most small businesses, the “£17.5m or 4%” maximum is more of a legal ceiling than a realistic outcome.

But that doesn’t mean GDPR enforcement is “low risk” for SMEs. Even a much smaller fine (or the cost of responding to an investigation) can be disruptive.

Also, the ICO has other tools besides fines, such as enforcement orders and reputational consequences - and these can hit smaller businesses hard.

How Does The ICO Decide The Amount Of A Fine?

The ICO doesn’t just pick a number. It must consider a range of factors set out in UK GDPR and its own regulatory approach.

In plain English, the ICO will usually look at:

1) The Nature And Seriousness Of The Breach

Not all breaches are equal. The ICO will consider things like:

• what kind of personal data was involved (basic contact details vs sensitive health data);
• how many people were affected;
• how severe the impact was (financial harm, distress, identity theft risk); and
• how long the issue continued.

2) Whether It Was Negligent, Reckless, Or Deliberate

Accidents happen - but the ICO will look at whether you took reasonable steps to avoid the problem.

For example, if you had:

• no security measures;
• no staff training;
• no policies; or
• ignored earlier warning signs,

the ICO may be less sympathetic than if you can show a genuine compliance effort.

3) What You Did To Fix The Issue

When something goes wrong, the steps you take next really matter. The ICO will consider:

• how quickly you contained the problem;
• whether you notified the ICO (where required);
• whether you informed affected individuals where appropriate; and
• what measures you implemented to stop it happening again.

Having a sensible Data Breach Response Plan in place can make a major difference to how quickly and confidently you respond.

4) Your Compliance History And Cooperation

If you’ve been warned before, ignored the ICO, or shown a pattern of non-compliance, that can increase risk.

On the other hand, genuine cooperation - answering requests, being transparent, and taking action - can reduce the likelihood of the ICO escalating matters.

5) The Size And Resources Of Your Business

The ICO often takes proportionality into account. For small businesses, this can mean:

• the ICO may tailor expectations to what is reasonable in your context; but also
• “we’re small” is not a free pass - especially if basic safeguards were missing.

The safest approach is to put in place sensible, scalable compliance foundations from day one.

What GDPR Issues Most Commonly Put Small Businesses At Risk?

Many ICO problems for small businesses don’t come from “bad intentions”. They come from busy teams, unclear processes, and not knowing what counts as personal data (or what you’re allowed to do with it).

Here are some common risk areas we see.

Weak Security Practices

Under UK GDPR, you must implement “appropriate technical and organisational measures” to protect personal data.

For a small business, that often includes basics like:

• strong passwords and multi-factor authentication;
• limiting access to customer databases;
• secure device management (especially if staff work remotely);
• patching and updating software; and
• safe handling of customer documents.

If you’re collecting customer data online, it’s also important that your public-facing documents match what you actually do. A properly drafted Privacy Policy is one of the simplest ways to reduce confusion and complaints.

Poor Data Retention (Keeping Data For Too Long)

Keeping everything “just in case” is a common small business habit - but UK GDPR expects you to keep personal data only for as long as you need it.

If you don’t have clear retention periods, you can end up holding outdated customer records, old CVs, or historic mailing lists that shouldn’t be used anymore.

It’s worth setting a retention schedule early, including guidance on how long you should keep personal data for the different categories you hold.

Marketing Without The Right Consent Or Lawful Basis

Email marketing and lead generation can raise GDPR (and ePrivacy) issues quickly, especially if:

• you bought a list without proper due diligence;
• you can’t prove opt-in consent where it’s needed;
• your unsubscribe process doesn’t work properly; or
• you’re sending marketing to people who only enquired once years ago.

Often, the first sign of trouble is a complaint - which can trigger ICO questions.

Also keep in mind that direct marketing enforcement can sit under related rules like the Privacy and Electronic Communications Regulations (PECR), and fines can be issued under that regime too (separately from UK GDPR).

Not Handling Subject Access Requests Properly

Individuals have rights over their personal data. One of the most well-known is the right to access their data (a “subject access request”).

If your business receives a request and you don’t have a process, it’s easy to miss deadlines or disclose the wrong information.

For employers and businesses holding mixed data, it’s especially important to understand Subject Access Requests and how they work in practice.

Monitoring Staff Or Customers Without Proper Controls

If you use CCTV, device monitoring, or audio recording, you need to be careful - because it’s easy to collect personal data in a way that feels intrusive or disproportionate.

For example, using CCTV with audio can create much higher privacy risk than video alone, and may require stronger justification, clearer notices, and tighter controls.

Even if your intentions are legitimate (security, theft prevention, staff safety), you still need to consider transparency and necessity.

How Can You Reduce Your Risk Of An ICO Fine?

You can’t eliminate risk entirely - but you can reduce it dramatically by putting practical GDPR foundations in place and documenting your decisions.

Here are steps that are typically sensible for small businesses.

1) Map What Personal Data You Collect And Why

You can’t protect what you don’t understand.

Start with a simple list:

• What data do we collect? (names, emails, addresses, payment info, IP addresses, CCTV footage)
• Where does it come from? (website forms, customers, suppliers, staff)
• Why do we collect it? (fulfilling orders, responding to enquiries, marketing, HR)
• Who do we share it with? (couriers, accountants, software providers)
• How long do we keep it?

This is often the quickest way to spot hidden risk (like old spreadsheets, shared inboxes, or unrestricted access).

2) Get Your Customer-Facing Privacy Information Right

Transparency is a core GDPR principle. If you collect personal data, you should be upfront about:

• what you collect;
• why you collect it;
• your lawful basis;
• who you share it with; and
• how people can exercise their rights.

This is where a tailored Privacy Policy helps - especially if you’re running an online store, a service business, or any business using analytics and marketing tools.

3) Put A Plan In Place For Data Breaches

A breach doesn’t always mean “hackers”. It can also mean:

• sending an email to the wrong customer;
• losing a laptop;
• sharing a spreadsheet with incorrect permissions; or
• a staff member accidentally disclosing private data.

Having a Data Breach Response Plan can help you move quickly, preserve evidence, assess whether notification is required, and show the ICO you acted responsibly.

4) Train Your Team (Even Light Training Helps)

Most small business GDPR issues happen day-to-day - in inboxes, shared drives, and routine admin.

Simple training can cover:

• how to spot personal data;
• how to share data safely;
• phishing basics;
• handling subject access requests; and
• who to escalate issues to.

If you have staff using business systems, it’s also worth having clear internal rules on acceptable use, access levels, and security expectations.

5) Review Your Contracts With Suppliers Who Handle Data

If you use third parties to process personal data (for example, cloud storage, email marketing platforms, payroll providers, or customer support systems), you may need appropriate contractual terms in place.

This is especially important when suppliers act as “processors” on your behalf.

It can feel a bit technical, but it’s one of the areas the ICO expects businesses to take seriously - and it’s a common gap for growing SMEs.

6) Consider A GDPR Compliance Package If You’re Scaling

Once your customer base grows, the cost of getting GDPR wrong tends to grow too. It’s not just about fines - it’s operational disruption, lost trust, and time away from running the business.

Putting a structured GDPR Package in place can help you cover the essentials in a way that matches how your business actually operates.

And if you’re unsure what “good enough” looks like for your size and industry, it’s worth getting tailored advice. A small upfront investment often prevents expensive clean-up later.

Key Takeaways

• The maximum fine the ICO can impose under UK GDPR depends on the category of breach: up to £8.7 million or 2% of worldwide annual turnover for some infringements, and up to £17.5 million or 4% of worldwide annual turnover for the most serious ones.
• The ICO doesn’t automatically issue maximum fines - it considers severity, intent, mitigation steps, your compliance history, and proportionality.
• Small businesses are commonly exposed through basic gaps like weak security, unclear retention periods, marketing compliance issues, and poor handling of subject access requests.
• Practical steps like a clear Privacy Policy, a breach response process, supplier contract checks, and simple staff training can significantly reduce risk.
• If you’re scaling, documenting your GDPR approach (and getting professional support where needed) can help you stay compliant and show the ICO you’ve taken your obligations seriously.

This article is general information only and isn’t legal advice. If you’d like help with GDPR compliance or responding to a data protection issue, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.