GDPR Enforcement in United Kingdom

Trend: Have the national data protection authorities in the UK focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

Two of the largest fines imposed by the regulator in the last year were on companies following major cyber incidents that resulted in widespread personal data breaches (Capita, GBP 14 million and Advanced Computer Software, GBP 3.07 million). In those cases, enforcement action was a direct response to significant security failings rather than the regulator targeting any particular sector.

The regulator also has a current focus on safeguarding those most at risk from harm, including children. It has recently reviewed 34 social media and video sharing platforms focusing on issues such as the use of default privacy and geolocation settings, profiling for targeted advertising and age assurance. This work has translated into enforcement action. Specifically, the regulator fined two platforms (Reddit and Imgur) in February 2026 for shortcomings in their handling of children’s personal information and age assurance measures and failure to carry out data protection impact assessments. The fines totalled GBP 14.47 million (Reddit) and GBP 247,590 (Imgur).

The regulator is also continuing a large scale review of cookie compliance across the UK’s most visited websites, with particular focus on ensuring that users are offered meaningful choice and that tracking technologies are not deployed without a valid lawful basis. In connection with this it has contacted 93 organisations about website cookies and taken enforcement action in this space against a betting provider (Sky Betting and Gaming). The provider was reprimanded for sharing personal data with ad tech companies before users could accept or reject advertising cookies.

The regulator takes a hard line on enforcing breaches of ePrivacy legislation against spammers and nuisance callers. For example, in January 2026, it fined Allay Claims Ltd GBP 120,000 and ZMLUK Limited GBP 105,000 for sending millions of unsolicited marketing messages in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR”). Generally, the regulator may take several instances of enforcement action in respect of illegal direct marketing activities per month and in many cases it only takes a small number of complaints (and sometimes just a single complaint) to trigger an investigation.

The Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025 and is being implemented in phases from June 2025. The DUAA amends existing UK data protection and ePrivacy laws, with many key changes already in force. These include an increase in maximum fines for ePrivacy breaches from GBP 500,000 to up to GBP 17.5 million or 4 % of annual global turnover (aligning with UK GDPR fines) and a new requirement for online services likely to be used by children to take account of their needs. From 19 June 2026, controllers will be required to acknowledge data protection complaints within 30 days and respond without undue delay. The DUAA will, in addition, begin restructuring of the regulator, by introducing a new body corporate (the Information Commission).

Overall, what was the most significant fine in the UK to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The two heftiest UK GDPR fines on companies remain those imposed on British Airways (“BA”) (GBP 20 million) and Marriott (GBP 18.4 million) in relation to personal data breaches experienced by each of those companies, whose data had been left vulnerable to attack by hackers due to inadequate security measures. In BA’s case the regulator considered that basic data security measures were not in place and the failures were deemed to be a “serious concern”. However, it significantly reduced both of the fines imposed on BA and Marriott compared with the earlier notices of intent, from GBP 183 million to GBP 20 million for BA, and from GBP 99.2 million to GBP 18.4 million for Marriott. This, in part, reflected the severe financial impact of the COVID 19 pandemic on the travel and hospitality sectors. In BA’s case, the reduction also took account of the prompt steps taken to mitigate the risk of harm to individuals.

There were also class actions brought against these companies on behalf of affected data subjects claiming compensation for losses suffered as a result of their information being compromised. The BA class action, with 16,000 claimants, had been described as “the largest group-action personal-data claim in UK history” and was settled for an undisclosed sum in July 2021.

How is the data protection authority organised in the UK? Budget, staff, assignment to a ministry?

The regulator is independent, but the Department for Science, Innovation and Technology (“DSIT”) remains its sponsoring department within the UK Government.

The regulator has budgeted income from data protection registration fees for 2025/26 of GBP 95.3 million.

It has also received an indicative grant-in-aid budget settlement from DSIT for 2025/26 of GBP 7.5 million.

As of 31 March 2025, the regulator had 1,051 permanent staff (998.7 full time equivalents).

How does a fine procedure work in the UK? Can the authority impose fines itself? Procedural steps? Legal remedies?

The regulator has the power to issue fines in respect of specific breaches of UK data protection laws. The regulator also has the power to issue a penalty notice for failure to fully comply with an information notice, an assessment notice or an enforcement notice. The regulator is legally required to issue a notice of intent to impose a fine and will generally give the respondent an opportunity to make representations before any final penalty notice is issued.

There is a right of appeal against a penalty notice to the First Tier Tribunal (General Regulatory Chamber). From there, a decision can be appealed on a point of law to the Upper Tribunal and then further on to the Court of Appeal and ultimately to the Supreme Court.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

The regulator is able to retain specified amounts of the funds paid in response to the civil monetary penalties that it issues. Each year, the income from these fines is passed to the UK Government’s Consolidated Fund. However, from 1 April 2022, HM Treasury has allowed the regulator to retain some limited funds to cover pre-agreed, specific and externally audited enforcement and litigation costs. There is a cap on the amount of costs that can be recovered in this way during any one financial year (GBP 7.5 million) and the approach the regulator takes is audited by the National Audit Office.

To raise money to fund its activities, the regulator levies a data protection fee on controllers. This makes up around 85% to 90% of the regulator’s annual budget. The UK Government also contributes grant-in-aid to fund the regulator.

Is there an official calculation methodology for fines in the UK?

The regulator published (in March 2024) fining guidance to provide “clarity and certainty” for organisations. The methodology is fairly complex and includes a five-step approach to calculating the penalty with a starting point based on an assessment of the seriousness of the infringement. Adjustments are then made to consider aggravating and mitigating factors and to ensure the fine is effective, proportionate and dissuasive.

Can public authorities be fined in the UK? If yes: Where does this money go?

Yes, public authorities can be fined in the UK. The money from these fines goes into the UK Government’s Consolidated Fund, which is then distributed as part of wider government spending.

The most recent public authority fine (issued in March 2026) was given to Police Scotland in the sum of GBP 66,000 following its serious mishandling of sensitive personal information. The regulator considered the incident sufficiently serious to warrant a monetary penalty, although it continues to emphasise that, for non serious cases involving public authorities, it is more likely to issue a public reprimand than a fine. The approach reflects the regulator’s revised public sector enforcement policy, in place since 2022, under which penalties for public bodies are generally reduced to avoid diverting funds away from essential public services.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

Most fines and other enforcement action by the regulator are published on its website, with the name of the organisation, the facts of the breach, details of the investigations conducted and the level of the fine all typically being publicly available. However, the regulator has discretion not to publish such information, for example where doing so would be likely to prejudice ongoing investigations. It will also redact certain information in some cases, for example where this is commercially sensitive.

Fines and enforcement action may also be referenced in the regulator’s annual report and in social media posts and press releases. Companies are usually also identifiable in this context.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Information on individual fines are published by the regulator on its website and are freely accessible. Aggregate information is also set out in the regulator’s annual report, and data security incident trends and figures are displayed on a dashboard on its website. 

Does the UK have model declaratory proceedings/class actions in data protection law?

Yes, class actions by groups of data subjects can be brought in the UK. The UK Data Protection Act 2018 currently allows for the representation of data subjects only with their authority.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

Both financial penalties and other forms of enforcement action by the regulator are a key concern for organisations following non-compliance. In practice, an enforcement notice requiring an entity to cease processing that is central to its operations can be equally impactful and, in some cases, more commercially damaging than a monetary fine.

Data subjects may also seek injunctive relief to protect their rights, including interim injunctions, although this has been relatively uncommon to date. In addition, claims for damages continue to present a risk, particularly in the aftermath of high-profile cyber incidents and large-scale data breaches.