Analysis of Enforcement Action by the ICO in 2025 – Enforcement way down, fines way up

As a reminder and comparison, 2024 saw a total of 62 instances of enforcement action (fines, reprimands and enforcement notices) taken against 47 organisations (including 8 police forces or other law enforcement agencies).  For a full breakdown and evaluation of these actions, read our Analysis of Fines Imposed by the Information Commissioner’s Office in 2024.

However, as demonstrated by the above graphic, there were only 31 occasions on which the ICO took enforcement action in 2025, half of the frequency compared to the previous year.  Of the 7 public sector organisations enforced against, 3 were police forces - with one force, Greater Manchester Police, receiving two reprimands in the space of 6 months.  So, the Police were again overrepresented in the figures, although to a lesser extent than in 2024.

17 of the 31 actions were taken for breach of the DPA and UK GDPR (so over half of the instances of enforcement, broadly the same as in 2024), a breakdown of these actions can be found in the graphic below.

The number of GDPR/DPA-related enforcement actions last year was down by nearly a half on 2024, with a much higher proportion of private sector businesses represented.  So, in addition to the major decline in enforcement activity year on year, another startling turnaround from 2024 was in the composition of the entities enforced against under UK GDPR/DPA: in the previous year, private sector organisations comprised only around one eighth of the total, whereas in 2025 the proportion soared to nearly one half.

As with 2024, however, only organisations which committed PECR breaches received more than one action of enforcement against them for a single contravention, with 6 companies receiving both a fine and an enforcement notice.

In 2025, the regulator issued, or supported the courts in issuing, 15 fines.  While this represents a further decrease compared with 2024, the reduction was not proportionate to the sharp decline in overall enforcement activity.  This may reflect the regulator’s continuing focus on tackling poor marketing practices in the energy and home improvements sector.  And in another contrast with 2024, only one of these penalty fines was applied to a public (or quasi-public) body, a charity called Birthlink.  At £18,000, this fine was relatively small.  The ICO departed from its usual policy of not fining public entities in this case because the breach – the unnecessary destruction of thousands of adoption records, many of which were irreplaceable – was both highly avoidable and resulted in serious and permanent harm.

Aside from this outlier fine for Birthlink, it could be argued that the ‘public sector approach’ adopted by the ICO in 2022 is having the intended effect.  This is reflected in the marked reduction in enforcement activity generally, and the substantially lower number of public authorities receiving enforcement for breaches of DPA/UK GDPR, both in absolute terms and relative to the number of private organisations being punished for breaking privacy legislation.  This certainly was the Information Commissioner’s response when this question, forwarded by URM to the ICO before its Data Protection Practitioners’ Conference in October 2025, was put to John Edwards at the start of the conference.  However, it is interesting to note that, though enforcement action dropped off materially, this reduction did not correspond with any material decrease in the number of complaints submitted to the regulator.  In fact, in 2024/25 the ICO received over 42,300 data protection-related complaints, which represents an actual increase of around 2,500 complaints on the previous year.

The fall-off in enforcement action was far from welcomed in some quarters.  Towards the end of last year, a number of civil society groups, academics and lawyers wrote to the Chair of the parliamentary Science, Innovation and Technology Committee calling for an inquiry into what they called a ‘collapse’ in ICO enforcement activity.  The letter was prompted in part by the ICO’s 2025 decision to not investigate the Ministry of Defence (MoD) following a severe data breach (the second such breach the MoD had suffered) that saw the leaking of details of over 19,000 Afghans fleeing the Taliban, an incident that led to an unprecedented superinjunction being obtained by the UK Government which was lifted earlier in 2025.  The regulator’s decision not even to investigate the MoD over this very serious unauthorised disclosure, let alone pursue any formal action against it, is described in the letter as ‘extraordinary’ and as the latest example of the ICO failing adequately to respond to ‘egregious’ data breaches in the public sector, leaving no effective deterrence/incentive for public bodies to improve their data management.

The largest fines of 2025 were the £14m, £3.07m, £2.31m and £1.23m monetary penalties imposed on 2 companies in the Capita group (Capita plc and Capita Pension Solutions Limited totalling £14m), the UK company Advanced Computer Software Group Ltd, the US genealogy company 23andMe Inc, and LastPass UK Ltd respectively.  All of these fines were issued for the companies’ infringing of the UK GDPR’s security provisions due to massive data losses following cyber attacks, highlighting the critical importance of implementing robust technical and organisational measures (TOMs) to protect personal data.  Unlike 2024, overall the fines for breach of the PECR have fallen far short of the total for UK GDPR violations (£1.025m as opposed to about £20.68m).

Let’s examine the reasons why fines were imposed by (or with the involvement of) the ICO in 2025. The following graphic summarises what breaches occurred for the fine to be imposed.

This demonstrates that, unlike in 2024, the majority of the ICO’s fines were directed at infringements of the UK GDPR, not at breaches of the PECR telemarketing rules.  In 2024, the proportion of fines attributable to breaches of the UK GDPR formed one sixth of the total number of fines, whereas in 2025 this has risen sharply to just over half – a possibly significant departure from what has previously been perceived as an overreliance by the regulator on fining for infractions of the PECR.  

The 8 UK GDPR and DPA monetary penalties comprised the 4 significant security-related fines imposed on the organisations referenced above, a £60,000 fine issued to the law firm DPP Law for data loss resulting from a cyber attack, the £18,000 penalty imposed on Birthlink previously discussed, and 2 smaller fines issued by the courts against individuals for breaches of the DPA.

It remains to be seen whether the balance between UK GDPR fines and PECR monetary penalties will revert in 2026 to the pattern observed in previous years.  None of the PECR fines issued in 2024 or 2025 came close to the current statutory maximum of £500,000.  As a result, the planned increase of the PECR penalty cap to £17.5 million in 2026, aligning it with the maximum available under the UK GDPR, is unlikely to have an immediate impact.

6 of the 7 UK GDPR-related reprimands last year were issued to public sector bodies – meaning that, apart from the rather anomalous case of the charity Birthlink, the Information Commissioner seems to be sticking to his rationale of not fining public authorities (that such penalties have limited deterrent effect because it is ultimately the taxpayer who pays them), and issuing them with reprimands or enforcement notices instead.  Of the other 7 enforcement notices issued in the year, all went to private companies, and all were in relation to PECR breaches only.  The use of enforcement notices against public sector entities with regard to non-PECR breaches, noted in 2024, further developed in 2025, with two public bodies receiving such notices (both in relation to failures in dealing with subject access requests), but not fines.

Because of the relatively low number of monetary penalties, and the effect of the 4 large fines for Capita, Advanced Software, 23andMe and LastPass, the average fine in the UK rocketed nearly tenfold from approximately £150K in 2024 to a whopping £1.45 million in 2025.

In previous years, there has been a relatively even split between fines under £100,000 and fines over this amount.  In 2025, just over half (8) have been over that 100K figure, with the four fines mentioned in the millions well exceeding it.  So, this appears to strengthen the trend that began to emerge in 2024 of the regulator fining not more prolifically, but proportionately much more heavily.  In total, these 15 fines brought in around £21.7m to the Treasury, which is eight times the fine yield for 2024.

In our February 2025 blog on this topic, we wrote about how in 2023 and 2024 the ICO contacted companies operating the UK’s 200 most visited websites regarding their use of cookies, expressing concern that these companies are not following its guidance on website design and are not providing users with adequate choice as to whether their activities are tracked for personalised marketing.  In January 2025, this national cookies compliance check was expanded to include the top 1,000 sites in the UK.  We have tracked what effect the regulator’s heightened vigilance on this matter has had in 2025 and it appears that the ICO’s verbal crackdown on cookies nonconformance has – so far – worked as intended.  There was no enforcement of any kind taken by the data protection authority for this type of infringement in 2025.    

URM will of course be monitoring all the other future ICO fines, reprimands and enforcement notices too – let’s see what 2026 brings!