Three years of enforcement data from the UK's Information Commissioner's Office tell a consistent story: the era of many small fines is giving way to fewer but substantially larger ones. An analysis of ICO enforcement records by cybersecurity consultancy Bridewell, published this week, puts the increase at 370% in average penalty value since 2023.
The pattern is not linear. 2024 was the low point — 17 penalties totalling just £2.5 million, with the single largest fine being £750,000 issued to the Police Service of Northern Ireland for an unauthorised disclosure of officer and staff data in a Freedom of Information request. The number of penalties had already dropped from 22 in 2023, when a £12.7 million fine against TikTok for failures in children's data protection skewed the average upward.
By 2025, enforcement had intensified. Fourteen penalties generated a combined £21.7 million — the highest single-year total in the dataset — with a £14 million fine against Capita for its mishandling of a cyberattack that compromised the personal data of more than six million people. 2026 has continued that direction. Five penalties issued through May exceed £15 million in total, with Reddit's £14.4 million fine for failing to verify users' ages and thereby unlawfully processing children's data accounting for the bulk.
Sector breakdowns reveal different enforcement profiles. Marketing has accumulated 17 penalties since 2023, more than any other industry, but with an average fine of £106,765 it faces comparatively small actions. Online technology and telecoms companies tell the opposite story: five penalties averaging £5.7 million each, driven by cases involving children's data and significant technical failures.
Monetary penalties are only part of the ICO's enforcement toolkit. Since 2023, it has also issued 49 enforcement notices and 65 reprimands alongside the 58 monetary penalties, a pattern that suggests the regulator is reserving financial penalties for the most serious or repeated breaches while using other instruments more broadly.
"Although the rise in average fines is significant, it reflects a more targeted approach from the ICO rather than just an increase in enforcement activity. There's a strong emphasis emerging around areas like children's privacy, the safe use of AI, and nuisance communications, and with expanded powers now available, organisations need to be prepared for a more proactive regulator," said Chris Linnell, Associate Director of Data Privacy at Bridewell.
"The key point many organisations overlook is that the size of a fine isn't driven by the incident alone. The ICO places a significant amount of weight on how well accountability is demonstrated. That means having controls that are genuinely embedded across people, processes and technology — and being able to evidence that they are working effectively in practice."
Bridewell's analysis covered all published ICO enforcement records between 2023 and May 2026, drawn from the ICO Enforcement Register.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
