The ICO publishes its enforcement decisions publicly, which makes them unusually useful for understanding what actually triggers regulatory action. Reading through the 2023 and 2024 decisions, a few patterns stand out - and they are not what most businesses expect. The biggest fines do not always go to the biggest organisations, and the most common failure is not a dramatic data breach but something much more mundane: ignoring rules around direct marketing.

This article looks at specific cases, the numbers involved, and what smaller businesses can realistically take away from them.

PECR: the ICO's most-used enforcement tool

If you look at the raw volume of ICO enforcement action, Privacy and Electronic Communications Regulations (PECR) cases outnumber UK GDPR cases significantly. PECR governs direct marketing - phone calls, texts, emails - and the ICO has been active in this area for years. The pattern is consistent: companies buy or rent marketing lists, send thousands or millions of unsolicited messages, and get fined when the volume of complaints reaches a threshold that triggers an investigation.

In 2023, Aggregates Direct Limited was fined £130,000 for making over 355,000 unsolicited marketing calls to numbers registered with the Telephone Preference Service. The TPS registration should have been an absolute bar - calling TPS-registered numbers without consent is a clear PECR breach. The company's defence that they had "screened" the list was undermined by the sheer number of complaints received from people who had registered precisely to avoid such calls.

Easylife Ltd received a £1.35 million fine in 2022 (upheld on appeal in 2023) for a more complex combination of failures: using health data inferred from purchase history to target people with health-related products, and making millions of calls without adequate consent. The health data inference angle was particularly significant - the ICO found that combining shopping behaviour to infer health conditions constituted special category data processing, which requires explicit consent under UK GDPR. It is a reminder that data you already hold can create new compliance problems depending on how you use it.

The nuisance call problem is not going away

Sky Betting and Gaming was fined £1.17 million in 2023 for sending marketing emails to customers who had previously opted out, and for failing to honour opt-out requests promptly. The ICO found the company had continued sending emails for up to 42 days after customers unsubscribed. That is not a minor technical issue - it is a systematic failure in how opt-out requests were processed, and 42 days is a long time in anyone's inbox.

This case matters because it shows the ICO will look at process failures, not just policy failures. Having an unsubscribe link is not enough if your backend system does not process the request quickly and reliably. For any business doing email marketing, the time between a customer clicking "unsubscribe" and the actual suppression of their record needs to be measured in hours, not days or weeks.

Practical note: The ICO expects opt-out requests to be honoured "as soon as reasonably practicable." For email, that generally means within a few days at most. If you are using a third-party email platform, check whether your suppression lists sync in real time or whether there is a lag.

Data breaches: the cases that make headlines but are not the most common

UK GDPR enforcement for data breaches tends to attract more media coverage than PECR cases, partly because the maximum fines are higher (up to £17.5 million or 4% of global annual turnover under UK GDPR, compared to £500,000 under PECR). But the ICO's approach to data breach cases has actually become more measured over time - the regulator regularly issues reprimands rather than fines for organisations that self-report promptly, cooperate fully, and have reasonable security in place that was nonetheless defeated.

The 2024 enforcement action against Clearview AI is worth mentioning even though Clearview is a US company. The ICO fined them £7.5 million (reduced from an initial £17 million after appeal) for scraping billions of facial images from the internet without legal basis. The case is instructive because Clearview argued, among other things, that it had no establishment in the UK and the ICO had no jurisdiction. The ICO disagreed, and the UK courts have so far supported that position. For any company processing data about UK individuals, the "we're not a UK company" defence has significant limits.

Interserve Group was fined £4.4 million in 2022 (the decision and its implications ran through 2023) for a cybersecurity failure that resulted in 113,000 employees' personal data being compromised, including financial information, health data, and immigration status. The ICO found that Interserve had failed to keep its software up to date, had not carried out adequate staff training on phishing (the attack vector), and had not followed its own security policies. None of these failures required sophisticated expertise to prevent. This is the pattern in most data breach enforcement: it is rarely that an organisation was attacked by something unprecedented. It is usually that they failed to do basic things.

The ICO's current enforcement priorities

The ICO publishes its regulatory priorities, which currently include: children's privacy and the Age Appropriate Design Code, cookie compliance (particularly the use of dark patterns that make it hard to reject cookies), direct marketing, and data security. Understanding these priorities helps businesses think about where the risk is concentrated.

Cookie compliance is an area where smaller businesses frequently have a false sense of security. Many websites use cookie consent banners that technically include a reject option, but make it significantly harder to reject than to accept - smaller text, more steps, different colours. The ICO has been explicit that this is non-compliant. In 2023 it wrote to the top 100 UK websites warning them to fix their cookie consent mechanisms. Enforcement against smaller sites for cookie issues alone is relatively rare, but the risk is higher for businesses where a competitor or disgruntled customer decides to make a complaint.

Children's data carries elevated risk. If your website or app might be used by children under 18, the Children's Code applies and the ICO has been explicit that it will prioritise enforcement here. TikTok's £12.7 million fine in April 2023 - for allowing children under 13 to use the platform without parental consent - is the most visible example, but the ICO has also investigated smaller apps and services.

What triggers an ICO investigation in practice?

The ICO's investigations are overwhelmingly complaint-driven. The regulator receives around 35,000 data protection complaints per year from individuals, and these complaints are the primary trigger for investigations. Self-reported data breaches are the second main trigger - organisations are legally required to report breaches that meet the threshold to the ICO within 72 hours of becoming aware of them, and the ICO then decides whether to investigate further.

Proactive, intelligence-led investigations do happen - the cookie consent campaign mentioned above is one example - but they tend to be focused on specific sectors or practices the ICO has identified as systemic issues. For the average small business, the realistic risk is a complaint from a customer who feels their data was misused, combined with an ICO investigation that then looks more broadly at the business's practices.

This is why having the basics in place matters even if your data processing is relatively simple. A clearly written Privacy Policy that accurately describes what you do, a working process for handling subject access requests, and a sensible approach to cookie consent will not make you immune to enforcement, but they will significantly reduce the likelihood of a complaint escalating into a formal investigation.

Size is not a defence

The cases that attract headlines are mostly large organisations, partly because large organisations process more data and partly because large fines make better news. But the ICO also pursues smaller businesses. The Aggregates Direct case - a building materials company, not a tech giant - illustrates this. The £130,000 fine is significant for any SME.

The ICO has explicitly stated that it does not apply a "small business" exemption. The law applies equally to a one-person consultancy and a FTSE 100 company. The practical difference is that a smaller organisation may have less data to get wrong, not that different rules apply. If you are processing personal data - even just through a contact form and a mailing list - UK GDPR applies to you.

For a deeper look at how UK GDPR came to apply in the UK and how it differs from the EU version, see our guide on UK GDPR vs EU GDPR after Brexit.

The cost of getting it right versus the cost of getting it wrong

The smallest ICO fine in the cases reviewed here is £130,000. The largest is in the millions. But the financial penalty is only part of the cost. ICO investigations are time-consuming, requiring responses to detailed information requests, potentially involving legal representation, and creating reputational risk if the decision is published (which it usually is). The reputational damage of being named in an ICO enforcement decision is hard to quantify but real - particularly for businesses where trust is a key selling point.

Getting the basics right - a compliant privacy policy, sensible data practices, a working opt-out process, reasonable security - costs a fraction of even the smallest fine. The economics are not particularly complicated.