Before the introduction of the GDPR, the ICO could issue fines capped at £500k. The limitation on the fine amount meant that large global organisations were unlikely to feel the impact of the penalty. The ICO now has the power to issue companies a fine equaling 4% of their annual turnover.
Over the years, the ICO has handed out some of the biggest penalties for data breaches where companies have failed to protect customer data. From 2020 to 2021, the ICO issued a record amount of £42m in fines issued, which is a 1580% increase from the previous year.
Top ICO fines issued
- British Airways - £20m fine (2020)
- Marriott Hotels - £18.4m fine (2020)
- TikTok - £12.7m (2023)
- Clearview AI - £7.5m fine (2022)
- Ticketmaster - £1.25m fine (2018)
- Cabinet Office - £500k fine (2021)
- Doorstep Dispensaree Ltd. (Pharmacy) - £275k fine (2019)
We track the largest data protection fines each year, including the GDPR fines issued in 2019,2020, 2021, 2022 and 2023.
These fines can devastate organisations on the receiving end, ensuring the consequences of lax data protection practices are felt. We explain why these penalties are issued so that your organisation can avoid being in the same boat.
The biggest ICO fines in detail
1. British Airways - £20m (2020)
GDPR breaches - Article 5(1), 32
The ICO fined British Airways £20m after failing to protect the personal data of more than 400,000 customers.
The investigation found that the airline was processing significant personal data without adequate security measures. This failure broke data protection law, and subsequently, BA was the subject of a cyber-attack in 2018, which it did not detect for more than two months.
The attacker potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. The usernames and passwords of BA employee and administrator accounts and usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
British Airways had been fined an eye-watering £183m for its GDPR failings last July. However, this was reduced to £20m due to the economic impact of COVID-19.
2. Marriott International - £18.4m (2020)
GDPR breach - Article 32
Marriott International Inc failed to keep millions of customers' personal data secure, with 339 million guest records worldwide believed to have been affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack remained undetected until September 2018, when Marriott acquired the company.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number. Although this is a large fine, it is significantly less than the fine of £99m that the Information Commissioner's Office (ICO) initially issued.
3. TikTok - £12.7m (2023)
GDPR breaches - Art. 5 (1) a) GDPR, Art. 12 GDPR, Art. 13 GDPR
The Information Commissioner's Office (ICO) has fined TikTok £12.7m for a number of breaches which include illegally processing the data of 1.4m children under the age of 13. The regulator found that TikTok didn't do enough to prevent under-13s from accessing the platform, and they failed to conduct adequate checks.
Furthermore, the ICO identified that TikTok failed to ensure personal data belonging to UK users was lawfully processed in a fair and transparent manner. Following the investigation, the ICO has published a Children's Code to help protect children in the digital world.
4. Clearview AI - £7.5m (2022)
GDPR breaches - Art. 5 (1) a), e), Art. 6, Art. 9, Art. 14 GDPR, Art. 15, Art. 16, Art. 17, Art. 21, Art. 22, Art. 35
The ICO found Clearview AI Inc. breached UK data protection law. The company has been issued a fine of £7.5m and told to delete the data of UK residents. The ICO came to its decision after identifying that Clearview AI Inc. failed to have a lawful reason to collect personal data.
The unlawful data collection was one of the many breaches of UK data protection law. Clearview AI Inc. collected over 20 billion images of people's faces to create an online database. The company did not inform these people that their images were being collected and used this way.
5. Ticketmaster - £1.25m (2018)
GDPR breaches - Art. 5 (1) f), Art. 32
The ICO has fined Ticketmaster UK Limited an amount of £1.25m for failing to protect its customers' personal data. The ICO found that the company did not implement appropriate security measures upon investigation. This failure resulted in a cyber-attack on a chatbot installed on Ticketmaster's online payments page.
The data breach affected 9.4m customers and involved information on customer names, payment card numbers and CVV numbers. Despite numerous warnings about fraudulent activity, the ticket retailer only identified and addressed the problem nine weeks later.
The ICO also ruled that the company has failed to accurately assess the risk of using a chatbot on its payments page. The penalty issued relates to the breach from May 2018, when the new rules of GDPR came into effect, even though the breach began in February of that year.
6. Cabinet Office - £500k (2021)
GDPR breaches - Art. 5 (1) f), Art. 32
Cabinet Office was fined £500k for failing to have technical and organisational measures to prevent breaches of data protection law. Following the New Year honours award at the end of 2019, the department published the personal details of those recognised by the Queen on the gov.uk website.
The failure of the Cabinet Office to mitigate the risk of a data breach exposed hundreds of people to the risk of identity fraud. Investigation into the Cabinet Office found "pockets of best practice" undermined by "concerning lapses" in behaviour and processes.
7. Doorstep Dispensaree Ltd. (Pharmacy) - £275k (2019)
The ICO fined Doorstep Dispensaree Ltd. (Pharmacy) for failing to ensure the security of special category data. Doorstep Dispensaree had left around 500k documents containing the personal information of an unknown number of people in unlocked containers.
In addition, the company had failed to process these documents to ensure appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage. As a result, the documents were also water damaged.
Want to learn more about GDPR?
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.
