Analysis by cybersecurity firm Bridewell, drawn from the ICO Enforcement Register (data correct as of 11 May 2026), tracks 58 monetary penalties issued since 2023, totalling over £55 million. The shift is not in volume — the number of penalties has fallen 36% over the period — but in size: the average fine has risen from just over £675,000 in 2023 to almost £3.2 million so far in 2026, a 370% increase.
Year by year, the pattern is uneven. In 2023, 22 fines totalled £15 million, dominated by a £12.7 million penalty against TikTok for unlawfully processing children's data. 2024 was the quietest year on record, with 17 fines adding up to just £2.5 million; the largest was a £750,000 penalty against the Police Service of Northern Ireland for an inadvertent disclosure of officer details in an FOI request. 2025 reversed the trend sharply: 14 fines generated £21.7 million — the highest annual total in the period — led by a £14 million fine against Capita for failing to contain a cyberattack that exposed the data of over six million individuals.
The sector split is stark. Online tech and telecoms companies account for just five of the 58 penalties but carry the highest average fine at £5.7 million. The marketing sector accounts for 17 penalties but at an average of £106,765.
Alongside monetary penalties, the ICO has issued 49 enforcement notices and 65 reprimands since 2023, with three prosecutions. The mix suggests the regulator is reserving large fines for the most serious failures while using other tools for lesser violations.
Chris Linnell, Associate Director of Data Privacy at Bridewell, said the trend reflects precision rather than aggression: "Although the rise in average fines is significant, it reflects a more targeted approach from the ICO rather than just an increase in enforcement activity. There's a strong emphasis emerging around areas like children's privacy, the safe use of AI, and nuisance communications, and with expanded powers now available, organisations need to be prepared for a more proactive regulator."
On what organisations get wrong: "The key point many organisations overlook is that the size of a fine isn't driven by the incident alone. The ICO places a significant amount of weight on how well accountability is demonstrated. That means having controls that are genuinely embedded across people, processes and technology — and being able to evidence that they are working effectively in practice."
Reddit's £14.4 million fine — for failing to verify users' ages and thereby unlawfully processing children's data — is the largest the ICO has issued in 2026 to date. If current trajectory holds, 2026 will surpass 2025's record total with considerably fewer penalties.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
