Since GDPR came into force in 2018, the Information Commissioner's Office has issued hundreds of fines to UK businesses of all sizes. Many business owners assume GDPR enforcement is reserved for large corporations — but that assumption is increasingly wrong.
The Scale of GDPR Fines
Under UK GDPR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious violations. For less severe infringements, fines of up to £8.7 million or 2% of turnover apply.
Some notable UK fines include:
- British Airways — £20 million for a data breach affecting 400,000 customers
- Marriott Hotels — £18.4 million for a data breach
- Clearview AI — £7.5 million for unlawful processing of facial recognition data
- Easylife — £1.35 million for using customer purchase data to infer health conditions without consent
But fines aren't just for large companies. The ICO has issued fines to small businesses, sole traders, and charities for violations including unlawful email marketing, inadequate privacy policies, and failure to respond to data subject access requests.
Common Reasons Businesses Get Fined
The most common GDPR violations that lead to ICO action against smaller businesses include:
- Sending marketing emails without valid consent
- Using cookies without proper consent mechanisms
- Failing to respond to data subject access requests within 30 days
- Inadequate security leading to data breaches
- Sharing personal data with third parties without a lawful basis
- Not having a compliant privacy policy
How ICO Investigations Start
Most ICO investigations are triggered by complaints from members of the public. A dissatisfied customer, a competitor, or simply someone who notices your cookie banner isn't compliant can file a complaint with the ICO at no cost to them.
Once a complaint is filed, the ICO will contact you and request information. If they find a violation, they can issue a formal warning, an enforcement notice, or a monetary penalty.
Beyond Fines — Reputational Damage
ICO enforcement notices and fines are published publicly on the ICO website. For a small business, the reputational damage of appearing on that list can be more damaging than the fine itself.
GDPR compliance is also increasingly a factor in B2B relationships. Larger businesses are now routinely asking suppliers and partners to demonstrate their data protection practices before signing contracts.
The Cost of Compliance vs The Cost of Non-Compliance
For most small business websites, getting compliant doesn't require expensive legal advice. It requires understanding what your site does, ensuring you have the right policies in place, and implementing proper consent mechanisms.
A ClearlyCompliant report tells you exactly where your site stands for £29.99 — a fraction of the cost of even the smallest ICO fine.
Is Your Website GDPR Compliant?
Find out in minutes with our automated compliance report. 23 checks, AI-powered policy analysis, detailed PDF report — £29.99.
Get Your Report — £29.99