Many organisations think of data protection risk in terms of an ICO fine. It's an understandable assumption – the headlines focus on the penalty figure, and the maximum fine of £17.5 million sounds serious enough to concentrate the mind.
But the fine is almost never the most expensive part. In case after case, the regulatory penalty turns out to be a fraction of the real cost. The bulk sits in operational disruption, legal fees, lost contracts, civil claims, and reputational damage.
This article sets out what actually happens – the real consequences UK organisations have faced in recent years, and where the real costs lie.
The ICO is doing less, but hitting harder
The ICO – the Information Commissioner's Office, the UK's data protection regulator – has shifted its enforcement approach significantly. In 2024, the ICO issued around 18 fines totalling roughly £2.7 million, at an average of about £150,000 each. In 2025, it issued 15 fines totalling approximately £21.7 million – an average of nearly £1.5 million per fine.
Fewer actions, far larger penalties. The ICO is concentrating its resources on the cases that demonstrate systemic failure, serious harm, or egregious conduct. Only about 3% of the 12,000-plus breach reports the ICO receives each year lead to a formal investigation.
What this means in practice is that the ICO isn't chasing minor infringements. It's targeting organisations where the governance failures are significant – and when it acts, the financial consequences are substantial.
What the recent cases actually cost
The headline fines tell only part of the story. Look at what happened beyond the penalty notice.
Capita received a £14 million fine in October 2025, reduced from an initial £45 million. The failures were basic: a device left unquarantined for 58 hours, gaps in multi-factor authentication – requiring a second verification step beyond a password, such as a code from a phone app – and slow incident response. But the fine was not the full picture. Total costs, including forensic investigation, legal counsel, remediation, and regulatory engagement, ran substantially higher.
Marks & Spencer suffered a cyber incident in April 2025 costing £101.6 million in direct costs and an estimated £324 million in lost sales. Pre-tax profits fell from £391.9 million to £3.4 million – a 99% decline. Online ordering was down for six weeks. Cyber insurance recovered £100 million, barely a third of the total impact.
The Police Service of Northern Ireland was fined £750,000 in October 2024, reduced from £5.6 million, after a spreadsheet containing the data of 9,483 officers was accidentally published in a Freedom of Information response. The fine was modest. The real cost was not. Around 7,000 civil claims have been filed, with estimated total liability of £140–240 million – before you count the security costs of protecting officers whose identities were now public.
The pattern is consistent. The ICO fine is the visible part. Beneath it sits operational disruption, civil litigation, insurance shortfalls, and commercial consequences that routinely dwarf the penalty itself.
One detail connects every case: the absence of multi-factor authentication. Capita, Advanced, DPP Law, 23andMe – in each, the ICO specifically identified missing MFA as a critical failing. The most common thread running through millions of pounds in penalties was a basic security measure that costs very little to implement.
The costs most organisations don't think about
Beyond fines and immediate incident response, several categories of cost consistently catch organisations off guard.
Civil litigation is expanding. The Court of Appeal's decision in Farley v Paymaster (now heading to the Supreme Court in October 2026) has opened the door to data protection compensation claims that would previously have been struck out. Individual awards range from around £250 to over £60,000. At scale, the numbers transform: ~7,000 claims against PSNI, nearly 4,000 against Capita. Group litigation is becoming a standard response to significant breaches.
Supply chain consequences are growing. Only 14% of UK businesses currently review the cyber risks posed by their immediate suppliers. The Procurement Act 2023 – in force since February 2025 – allows public sector bodies to exclude suppliers with poor governance from bidding for contracts. The ICO's fine against Advanced Computer Software Group in March 2025 established that data processors face direct regulatory liability. If your organisation processes data on behalf of others, your governance is now directly relevant to winning and keeping contracts.
Insurance covers less than you think. UK cyber insurance claims tripled in 2024 to £197 million. But insurers increasingly require evidence of basic security controls – multi-factor authentication, patch management, penetration testing, staff training – as preconditions for coverage. Where those controls are absent, claims can be declined. And even where cover applies, the M&S case demonstrates that insurance rarely covers the full cost. Only around 43% of UK companies hold cyber insurance at all.
Reputational damage is slow and expensive to repair. Research suggests 20% of consumers would definitely stop dealing with a company after a breach. A third of UK organisations that have experienced one report losing customers. Reputation restoration typically takes 10 months to over two years. For professional services firms, where client trust is the business, reputational damage can be existential.
The enforcement reality: what it's actually like
An ICO enforcement investigation is not a quick process. The timeline from breach to penalty is typically two and a half to three years. The Advanced case took two and a half years. DPP Law – a small law firm fined £60,000 in April 2025 – took three years from breach to penalty. The failing? A legacy admin account without multi-factor authentication, untouched since 2001.
During that time, the organisation is carrying the burden of the investigation alongside normal operations: responding to information notices, instructing specialist legal counsel, diverting senior staff to manage the process, and living with the uncertainty of not knowing what the outcome will be.
The Data Use and Access Act 2025 has given the ICO sharper tools. It can now compel individuals to attend interviews and require organisations to commission independent technical reports at their own expense. The maximum fine for breaches of PECR – the rules covering marketing emails and cookies – has risen from £500,000 to £17.5 million.
Personal liability is also a live risk. In September 2025, the ICO secured its first prosecution of an individual for deliberately obstructing a subject access request – a request from someone asking to see the personal data held about them.
What proactive governance actually costs
The investment case is straightforward when you set prevention costs against failure costs.
An outsourced data protection officer for a UK SME typically costs between £4,000 and £25,000 per year, depending on the size and complexity of the organisation. Cyber Essentials certification costs a few hundred pounds. Staff awareness training runs at £10–30 per employee. A GDPR gap assessment starts from around £2,000.
Set those figures against the IBM 2025 Cost of a Data Breach Report, which puts the average cost of a UK data breach at £3.29 million. Or against the DSIT/KPMG figure of £195,000 as the average cost of a significant cyber attack for a mid-market organisation. Prevention costs are typically less than 1% of what a single significant incident would cost.
The ICO itself has been explicit: it is unlikely to take enforcement action against an organisation that was genuinely seeking to comply and had taken reasonable steps. Cooperation, engagement with guidance, and demonstrable remedial action all reduce both the likelihood of enforcement and the severity of any penalty. Organisations with Cyber Essentials certification make 92% fewer insurance claims.
Good governance doesn't just reduce the risk of something going wrong. It reduces the cost when something does. And it makes the difference between an organisation that recovers and one that doesn't.
The smaller organisations in the room
Most of the headline cases involve large organisations – Capita, Marks & Spencer, the PSNI. It would be easy for a small or mid-sized business to read those examples and think: that doesn't apply to us.
It does. DPP Law – a small firm – was fined £60,000 for a single unresolved vulnerability sitting in their systems for over two decades. Birthlink – a Scottish adoption charity – was fined £18,000 for destroying 4,800 records without proper policies or governance. For organisations of that scale, those penalties plus the legal costs of a multi-year investigation are significant.
The ICO does not apply a different standard to smaller organisations. UK GDPR applies uniformly. The expectation is that governance is proportionate to the data you hold and the risks it presents – but the expectation exists regardless of your size.
What this means for your organisation
The cost of getting data protection wrong is consistently and significantly larger than the cost of getting it right. The gap is not marginal – it's measured in orders of magnitude.
Every major enforcement case in recent years involved failures that proactive governance would have caught. Missing MFA, dormant admin accounts, absent policies, untrained staff, late breach notifications. These are not sophisticated attacks. They are basic governance failures, left unaddressed until something went wrong.
Understanding your data protection obligations – genuinely understanding them, not just having policies on file – is the most effective protection available. It's also considerably cheaper than the alternative.
A reasonable starting point: look at the controls that featured in every major enforcement case. Is multi-factor authentication enabled across your systems? Do you know where your personal data sits and who has access to it? Would your staff know what to do in the first hour of a breach? If the answer to any of those is uncertain, that's where to begin.
