The five largest ICO fines since UK GDPR came into force have one thing in common: the underlying failures. Poor access controls, tracking without consent, processing children's data without lawful basis, sending unsolicited marketing. None of it is exotic. They are the same gaps that smaller organisations carry every day.
The major cases
A cyberattack compromised the personal and financial data of approximately 400,000 customers. The ICO found that BA had inadequate security measures and failed to detect the attack for two months. The initial monetary penalty notice was £183.39m; the ICO reduced the final fine to £20m after considering the economic impact of the COVID-19 pandemic on the airline. The lesson: the ICO applies aggravating factors for delay in detection and mitigating factors for economic circumstances, but neither eliminates the fine.
A breach affecting approximately 339 million guest records, including 7 million in the UK. The vulnerability originated in the Starwood Hotels database acquired by Marriott in 2016. Marriott failed to carry out adequate due diligence during the acquisition and did not have sufficiently robust security over the merged systems for years after the deal. The ICO considered this a failure of technical and organisational measures under what is now UK GDPR Article 32.
Clearview scraped images from social media to build a facial recognition database without any lawful basis for processing UK residents' data. The ICO ordered Clearview to stop obtaining and using data of UK residents, and to delete existing data. No consent was sought. No legitimate interests assessment was carried out. The company had no UK presence, which did not prevent the ICO from acting. This case established that extraterritorial scraping of UK residents' biometric data falls within UK GDPR scope.
TikTok processed personal data of approximately 1.4 million children under 13 without lawful basis, between May 2018 and July 2020. The ICO found TikTok failed to implement appropriate safeguards to prevent children under the minimum age from creating accounts, and did not take sufficient steps to verify users' ages. The fine — which could have been significantly higher — reflected partial co-operation with the investigation.
Royal Mail sent approximately 97.4 million direct marketing emails and 1.04 billion direct marketing SMS messages to individuals without a valid basis for doing so. This was a PECR breach — marketing communications sent without the required consent. The ICO treats high-volume unsolicited marketing as a serious violation, particularly when conducted by a well-resourced organisation with legal and compliance teams.
What these cases have in common
None of these failures required sophisticated hacking or unusual circumstances. Each came down to one of three things:
- No lawful basis. Processing went ahead without one. This includes analytics that fires before consent, marketing lists used without permission, and biometric data gathered without any user interaction.
- Inadequate technical controls. Security measures that fell below the standard expected for the volume and sensitivity of data being processed. Attackers were able to act for months without detection.
- Failure to account for acquired data. The Marriott case illustrates that when you buy a company, you acquire its data protection liabilities. Due diligence on data practices is now a standard part of M&A.
The pattern for smaller organisations
The ICO does not reserve enforcement for large corporations. It issues enforcement notices to sole traders, SMEs, and charities. The cases that reach the fine stage tend to involve scale, but the underlying failures (missing privacy policies, tracking before consent, no DSAR process, inadequate retention policies) are exactly what the ICO flags in its audit work with smaller organisations.
The ICO's website publishes every enforcement action. It is searchable by sector and type. If your industry appears regularly in the enforcement register, the ICO is actively looking at that sector.
Do you have the vulnerabilities these organisations did?
GDPR Radar scans your site for the specific failures the ICO targets: missing lawful basis, tracking before consent, incomplete privacy notices, absent data subject rights mechanisms.
Find out if your site has the vulnerabilities that led to these fines →