Most teams don’t plan to fall behind on compliance.
Budgets are tight, other priorities take over, and it’s easy to put things on hold. But it’s worth asking: what’s the cost of doing nothing? 💸
Over the past year, the ICO has dished out 40 enforcements, including 17 monetary fines, totalling almost £37 million - and that figure doesn’t account for the wider costs - reputational damage, lost trust, operational disruption…
Let take a look at the monetary penalties that have been dished out so far 👀
Last updated: 26th March 2026
Company: Reddit
Sector: Online technology and telecoms
Fine: £14,472,500
Issue: Infringing Articles 5(1)(a), 6, and 8, and Article 35 of the UK GDPR
Overview: Failed to apply any robust age assurance mechanism and therefore did not have a lawful basis for processing the personal information of children under the age of 13; and failed to carry out a data protection impact assessment to assess and mitigate risks to children before January 2025.
Date: 23 February 2026
Information: https://ico.org.uk/action-weve-taken/enforcement/2026/02/reddit-inc/
Company: MediaLab,AI Inc.
Sector: Online technology and telecoms
Fine: £247,590
Issue: Infringements of Articles 5(1)(a), 6, 8 and 35 UK GDPR
Overview: MediaLab did not have a valid lawful basis for processing the personal data of children under the age of 13 and thus processed their personal data unlawfully.
Date: 4 February 2026
Information: https://ico.org.uk/action-weve-taken/enforcement/2026/02/medialabai-inc/
Company: Allay Claims Ltd
Sector: Finance insurance and credit
Fine: £120,000
Issue: Contravention of Regulation 22 of PECR
Overview: Sent a large volume of unsolicited SMS messages promoting PPI tax refund services.
Date: 15 January 2026
Information: https://ico.org.uk/action-weve-taken/enforcement/2026/01/allay-claims-ltd-en/
Company: Police Service of Scotland
Sector: Criminal justice
Fine: £66,000
Issue: Infringed sections 35 and 37 of the DPA and Articles 5(1)(f), 32(1), 5(1)(c), 25(1)-(2) and 33 UK GDPR
Overview: Serious failures in the handling of sensitive personal information.
Date: 12 December 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/12/police-service-of-scotland/
Company: ZMLUK Limited
Sector: Marketing
Fine: £105,000
Issue: Contravention of Regulation 22 of PECR
Overview: Sending unsolicited emails promoting energy saving products.
Date: 11 December 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/12/zmluk-limited/
Company: LastPass UK Ltd
Sector: Online technology and telecoms
Fine: £1,228,283
Issue: Infringements of Article 5(1)(f) and Article 32(1)(f) UK GDPR
Overview: Failure to implement appropriate technical and organisational security measures allowed a threat actor to exfiltrate personal data relating to approximately 1.6 million UK customers from its backup database.
Date: 20 November 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/11/lastpass-uk-ltd/
Company: Lead Pronto Ltd
Sector: Marketing
Fine: £30,000
Issue: Contravention of Regulation 22 of PECR
Overview: Sending unsolicited SMS promoting Government funded boiler grants.
Date: 6 November 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/11/lead-pronto-ltd-1/
Company: Capita plc and Capita Pension Solutions Ltd
Sector: Various
Fine: £14,000,000
Issue: Infringed Articles 5(1)(f), 32(1) and 32(2) UK GDPR, and that CPSL had infringed Articles 32(1) and 32(2) UK GDPR.
Overview: Capita had failed to apply appropriate technical and organisational security measures to its systems, meaning it was in breach of its obligation as to data security in respect of the Incident that occured.
Date: 15 October 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/10/capita-plc/
Company: Bharat Singh Chand
Sector: Self-employed lead generator
Fine: £200,000
Issue: Breach of regulations 22 and 23 of PECR
Overview: Sent or instigated the sending of 966,449 direct marketing SMS messages resulted in 19,138 complaints to the 7726 spam reporting service.
Date: 16 September 2025
Information: https://ico.org.uk/action-weve-taken/enforcement/2025/09/bharat-singh-chand-1/
Company: Green Spark Energy Ltd
Sector: Utilities
Fine: £250,000
Issue: Serious contravention of regulations 19 and 24 of the PECR
Overview: GSE instigated the transmission of, 9,587,050 communications comprising recorded matter for direct marketing purposes by means of an automated calling system which resulted in 497 complaints being made to the TPS and the ICO reporting tools.
Date: 28 August 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/09/green-spark-energy-ltd-monetary-penalty-notice/
Company: Home Improvement Marketing Ltd
Sector: Utilities
Fine: £300,000
Issue: Serious contravention of regulations 19 and 24 of the PECR
Overview: HIML instigated the transmission of 2,449,380 automated marketing calls to subscribers without their prior consent, which resulted in 274 complaints being made to the TPS and the ICO reporting tools.
Date: 28 August 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/09/home-improvement-marketing-ltd-monetary-penalty-notice/
Company: Birthlink
Sector: Charitable and voluntary
Fine: £18,000
Issue: Contravened Articles 5(1)(f) and 32(1)-(2) of the UK GDPR
Overview: Destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable.
Date: 24 June 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/06/birthlink/
Company: 23andMe
Sector: General business
Fine: £2,310,000
Issue: Infringements of Articles 5(1)(f) and 32(1) of the UK GDPR between
Overview: 23andMe failed to implement appropriate security measures to protect the personal information of 155,592 UK users, following a large-scale cyber attack.
Date: 5 June 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/06/23andme/
Company: Darian Bishop trading as ECO4U
Sector: General business
Fine: £50,000
Issue: Serious contravention of regulations 21 and 24 of the PECR
Overview: 194,110 unsolicited direct marketing calls made to subscribers who were registered with the TPS and who had not notified Darian Bishop that they were willing to receive such calls. This resulted in 21 complaints which were submitted to the Commissioner and the TPS.
Date: 24 April 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/05/darian-bishop-trading-as-eco4u-mpn/
Company: DPP Law Ltd
Sector: General business
Fine: £60,000
Issue: Infringements of Articles 5(1)(f), 32(1), 32(2) and 33(1) of the UK GDPR
Overview: Failed to implement appropriate security controls, allowing a cyber attack to expose highly sensitive personal data. The firm also delayed breach notification, taking 43 days instead of the required 72 hours.
Date: 14 April 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/04/dpp-law-ltd/
Company: AFK Letters Co Ltd
Sector: General business
Fine: £90,000
Issue: Serious contravention of regulation 21 of the PECR
Overview: AFK made 95,277 spam calls resulting in several complaints being made to the ICO and TPS. AFK did not provide evidence that anyone whose number had been called had consented to receiving calls from the company.
Date: 27 March 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/04/afk-letters-co-ltd-mpn/
Company: Advanced Computer Software Group Limited
Sector: General business
Fine: £3.07m
Issue: Infringement of Article 32(1) UK GDPR
Overview: Security failings that put the personal information of 79,404 people at risk.
Date: 26 March 2025
More information: https://ico.org.uk/action-weve-taken/enforcement/2025/03/advanced-computer-software-group-limited/
You can see all the ICOs enforcement actions on their website >>
Want to keep up-to-date with the latest fines, breaches and regulation changes?
Subscribe to our newsletter and get it all delivered straight to your inbox 📥