The real cost of getting data protection wrong
When the Police Service of Northern Ireland was fined £750,000 in October 2024, the number made the headlines. It was a significant penalty, the result of a hidden spreadsheet tab in a Freedom of Information response that exposed the surnames, initials, ranks, and work locations of all 9,483 serving officers and staff.
But the fine wasn't the real story. What followed was: roughly 7,000 civil claims from officers whose personal details were now public. Estimated total liability between £140 million and £240 million. The fine represented somewhere between 0.3% and 0.5% of the total cost.
And for some of those officers it resulted in having to move house. Their home addresses could be inferred from the published data, and in Northern Ireland, that really isn't an abstract privacy concern, it's a safety concern. That detail tends to get lost in the financial figures, but it shouldn't. It's the difference between a data protection failure that costs money and one that dramaticaly changes people's lives.
The fine makes the headline, but not the story
Most organisations think about data protection risk in terms of what the ICO, the Information Commissioner's Office, the UK's data protection regulator, could potentially fine them. That fine based framing misses almost everything.
Marks & Spencer's cyber incident in April 2025 is the one case that should change how every UK business leader approaches this subject. Direct costs reached £101.6 million. Lost sales totalled £324 million. Pre-tax profits collapsed from £391.9 million to £3.4 million, a 99% decline in a single reporting period. Online ordering was suspended for about six weeks on a channel that normally generates around £3.8 million per day. The company's cyber insurance recovered £100 million, but that covered barely a third of the total financial impact.
To date, no ICO fine has been announced for the M&S incident. The commercial damage didn't need to wait for the regulator.
PSNI was dwarfed by civil litigation. M&S was dwarfed by operational disruption and lost revenue before the regulator had opened a single file. Each case took a very different direction, but both came with the same lesson: the actual cost to an organisation bears almost no relationship to whatever the ICO might or might not levy.
Most businesses equate data protection risk with regulatory risk. The evidence says regulatory risk is the thin end of the wedge.
The costs nobody budgets for
Behind every major breach sits a set of costs that rarely appear in the risk register.
The investigation itself. When the ICO investigates, the process typically runs two and a half to three and a quarter years from breach to penalty. During that time, the organisation is paying specialist legal counsel, diverting senior staff from their day jobs, and responding to formal information notices, all running alongside normal operations. Under the Data Use and Access Act 2025 (DUAA), the ICO now has power to compel individuals to attend interviews and to require organisations to commission – and pay for – independent technical reports. Anyone who has been through an ICO investigation will tell you: it's like running a second business inside your primary business, and it goes on for years.
Civil claims that could dwarf the penalty. The 2025 Court of Appeal decision in Farley v Paymaster widened the door for data protection compensation claims by removing the previous threshold of seriousness. Individual awards range from around £250 for minimal distress to £60,000 or more for severe psychiatric harm. At scale, the numbers we're seeing are transformative: about 7,000 claims against PSNI, nearly 4,000 against Capita via Barings Law, and what is now considered the largest personal data group action in UK history against British Airways.
Supply chain consequences. Only 14% of UK businesses review the cyber risks posed by their immediate suppliers. Fourteen percent. And yet, a data protection failure now follows organisations into procurement.
The Procurement Act 2023, in force since February 2025, introduces discretionary exclusion grounds for suppliers with poor governance records. The Advanced Computer Software case, the first ICO fine against a data processor, at £3.07 million, established that organisations processing data on behalf of others face direct regulatory liability. IBM's 2025 data shows supply chain compromise adds about £240,000 to the average cost of a breach. For any organisation that depends on contracts, particularly public sector work, a data protection failure doesn't just cost money. It potentially costs future revenue you never even know you've lost.
The insurance gap. Cyber insurance claims in the UK tripled in 2024 to £197 million. But cover rarely matches what organisations actually lose. M&S recovered £100 million and absorbed more than £200 million in unrecovered costs. The Co-operative Group's incident in the same period, shockingly found the organisation without any comprehensive cyber cover at all. Insurers increasingly require evidence of basic controls, multi-factor authentication, patch management, staff training, as preconditions for coverage, and you can be sure, they will scrutinise those controls closely when a claim is made.
Every major fine involved the same preventable failure
Every major UK data protection fine in 2025 involved the absence of multi-factor authentication, a straightforward security control that adds a second verification step beyond a password. It costs practically nothing to implement.
The DPP Law case is the one that sticks with me. A small legal practice, fined because an administrator account without MFA had been sitting untouched since 2001 - 23 years! Nobody had looked at it, nobody had questioned it, and when it was inevitably exploited, it brought the firm to the ICO's attention in the worst possible way.
Capita had a device left unquarantined for 58 hours alongside MFA gaps across critical systems. Advanced Computer Software had failed to implement MFA on its critical Citrix gateway. 23andMe fell to credential stuffing that MFA would have prevented.
We're not looking at sophisticated attacks exploiting unknown vulnerabilities. They were all the predictable consequence of basic gaps in governance. The ICO isn't fining organisations for being attacked. It's fining them for leaving the key in the door.
These facts, help you to reframe the real problem. Data protection isn't about building expensive, impregnable security infrastructure. It's about getting the basic fundermentals right. And the fundamentals are normally, neither expensive nor complicated, which is what really makes these failures so difficult to defend.
The investment case
An outsourced DPO, a qualified practitioner responsible for overseeing an organisation's data protection, costs between £4,000 and £25,000 per year, depending on an organisations size and complexity. Cyber Essentials certification costs a few hundred pounds. Staff awareness training runs at £100 to £300 per employee.
Set those figures against the IBM 2025 Cost of a Data Breach report's UK average of £3.29 million, or the DSIT/KPMG estimate of £195,000 for a significant cyber attack on a mid-size organisation. Prevention costs less than 1% of what a single significant incident costs.
The ICO's own enforcement approach reinforces this. The regulator has stated it is "unlikely to take enforcement action against an organisation that was genuinely seeking to comply and had taken reasonable steps." Cooperation and demonstrable governance consistently produce substantial settlement discounts – Capita's fine was reduced by 69%, from £45 million to £14 million. Advanced's was halved. Organisations with Cyber Essentials certification make 92% fewer insurance claims.
The DUAA has sharpened the ICO's toolkit further – compelled interviews, mandatory technical reports at the organisation's expense, and PECR fines raised from a maximum of £500,000 to £17.5 million or 4% of global turnover. Fewer investigations, but harder hitting when they come. For organisations with good governance, that direction is reassuring. For organisations hoping the odds are in their favour, those odds just changed.
The real risk isn't the fine
Every data protection officer's job is to make sure their organisation never faces an ICO investigation. That's the fundamental purpose of the role, and any practitioner will tell you it's the scenario the entire profession works to prevent.
The evidence from 2024 to 2026 is consistent. The fine is often the smallest cost. The operational disruption, the thousands of civil claims, the contracts lost quietly, the investigation grinding through the organisation for years, the reputational damage that outlasts all of it, these are the costs that can destroy an otherwise healthy business.
It hurts all the more when you consider every major fine involved basic, affordable failures. An admin account from 2001. A device left unquarantined for two days. A subject access request not recognised. MFA that nobody managed to find the time to switch on. The gap between what proactive governance costs and what a significant breach costs isn't just a matter of percentages, it's by orders of magnitude.
Which leaves a fairly straightforward question for anyone running a UK organisation that handles personal data. Are you confident you've got robust governance in place, do you need a DPO and do you have one, or are you crossing your fingers that it won't be you next?
