ICO GDPR fines UK 2026: what UK companies are actually being penalised for

On 15 October 2025 the Information Commissioner's Office issued the largest single UK GDPR security penalty to date. Capita plc and Capita Pension Solutions paid a combined £14m after a 58-hour delay quarantining an infected device exposed 6.6 million people, and the regulator was clear that the initial proposed figure had been £45m before voluntary settlement. UK boards are now sitting with an uncomfortable pattern. Every flagship 2024-2026 ICO fine, Capita, Advanced Computer Software, 23andMe, DPP Law, has been a security-failure case, not a privacy-policy case, and the Data (Use and Access) Act 2025 has just raised PECR penalties to the same £17.5m or 4% global turnover ceiling that applies to UK GDPR. So what exactly is the ICO punishing in 2026, how does its penalty maths differ from EU data protection authorities, and where will supervisory attention sit when the Cyber Security and Resilience Bill, the ransomware payment regime and Ofcom's Online Safety Act enforcement push all land in the same calendar year? This post walks through the enforcement notices line by line and shows where security spend pays back.

UK organisations sometimes still treat UK GDPR as a near-clone of EU GDPR. In 2026 that assumption misreads both the statute book and the ICO's published priorities, and it leads to budgets being aimed at the wrong controls. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, with the main data-protection provisions commencing on 5 February 2026. The Act amends UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. It introduces a new "recognised legitimate interests" lawful basis, relaxes solely-automated-decision-making rules outside special-category data with safeguards, sets a "reasonable and proportionate" standard for subject access request searches, and, most consequentially for security teams, raises PECR fines from the historic £500,000 cap to UK GDPR ceilings of £17.5m or 4% of global annual turnover. The Act also gives the ICO binding assessment notices and compulsory interview notices. That is a meaningful shift in how the regulator gathers evidence before issuing a penalty notice. Where the European Data Protection Board and continental DPAs have moved toward harmonisation under the EU GDPR one-stop-shop, the UK has moved toward sharper, faster fact-finding by a single national regulator. Practical implications for a UK CISO or DPO are concrete. A cookie consent failing or a marketing call without lawful basis used to top out at £500,000 under PECR; from February 2026 the same conduct is exposed to the same multi-million-pound ceiling as a ransomware breach. ICO investigations can now demand documents and require senior personnel to attend interviews under formal notice. Multinationals running a single privacy programme across UK and EU need a UK-specific control map covering the divergent lawful bases, the new DSAR proportionality test, and the raised PECR exposure. UK GDPR is no longer a translation of EU GDPR; it is a separate regime with its own enforcement temperament.

The Capita penalty is the most instructive enforcement notice the ICO has published since UK GDPR came into force, because it isolates a single control failure that any UK organisation could replicate tomorrow. The March 2023 attack on Capita began with a malicious file landing on an employee device. A high-priority security alert was raised within 10 minutes. The infected device was not quarantined for 58 hours. During that window the attacker moved laterally and exfiltrated personal data of 6.6 million people, including pension scheme members managed by Capita Pension Solutions. On 15 October 2025 the ICO issued penalty notices totalling £14m, £8m to Capita plc and £6m to Capita Pension Solutions, reduced from an initial proposed £45m via voluntary settlement under which Capita waived the right to appeal. The ICO's reasoning, as set out in its press release and analysed in Mayer Brown's published commentary, centres on Article 5(1)(f) UK GDPR (integrity and confidentiality) and Article 32 (appropriate technical and organisational measures). The regulator flagged inadequate vulnerability and patch management, weak endpoint detection follow-through, and the containment delay as the core failures. None of these are exotic controls; they are the basic operational hygiene that the ICO now treats as the floor.

Three lessons for UK security leaders read directly from the notice. First, alert-to-containment time is now a regulator metric, not just an internal SLA. Second, voluntary settlement remains available but the discount is conditional on waiving appeal rights, which means the published reasoning will not be tested in court and will harden as ICO precedent. Third, the ratio of proposed to settled fine, £45m down to £14m, gives boards a working number for how much cooperation actually saves. UK organisations modelling worst-case scenarios for cyber insurance should now use the higher figure, not the settled one. Strengthening detection-and-response is the cheapest insurance available; our 24x7 SOC monitoring exists to compress exactly this window.

Until March 2025 the ICO had not fined a data processor under UK GDPR following a ransomware attack. The Advanced Computer Software penalty closed that gap and set the template for supplier-side enforcement. Advanced provides software to NHS organisations. In August 2022 a LockBit ransomware attack disrupted NHS 111 and exposed personal data of 79,404 people, including home-care entry details for 890 individuals. The ICO's root-cause analysis identified a customer account without multi-factor authentication, inadequate network segmentation between Advanced's environments, and incomplete security testing of systems processing special-category health data. The provisional fine was £6.09m; the settled fine was £3,076,320, with mitigating credit given for proactive engagement with the National Cyber Security Centre, the National Crime Agency and NHS England. What this case codifies is that UK GDPR Article 32 is now read by the ICO as requiring MFA on remote access as a baseline, particularly where special-category data is in scope. The regulator did not need to point to a bespoke standard; it relied on the National Cyber Security Centre's published guidance and the proposition that MFA on internet-facing access is, in 2025, an "appropriate technical and organisational measure" in the ordinary meaning of those words. A processor handling NHS data without MFA was, on that reading, in breach by definition.

For UK technology suppliers the operational read-across is direct. Processor agreements signed before 2022 frequently lacked detailed security schedules; the ICO has now demonstrated it will pursue the processor directly under Article 32, not just the controller. Suppliers with UK customers should be running a documented MFA inventory, evidence-backed segmentation diagrams, and recent penetration testing reports against every internet-exposed surface. Where coverage is incomplete, scoped penetration testing and an Article 32 control gap review pay for themselves at a fraction of the £3m settlement number.

The 23andMe enforcement notice issued in June 2025 is the clearest ICO statement so far on what "appropriate" looks like when the data is irreplaceable. Between April and September 2023, attackers ran a credential-stuffing campaign against 23andMe accounts using credentials leaked from third-party breaches. The data of 155,592 UK residents was exposed, including genetic information. 23andMe did not detect the attack internally; it became aware only in October 2023 when stolen data appeared on Reddit. The ICO fined the UK arm £2.31m, reduced from a provisional £4.59m. The notice cited failure to mandate MFA on highly sensitive genetic data, weak password and login-verification practices, and the delayed detection. The regulator's framing matters. The ICO treated the sensitivity of the data as a multiplier on the standard expected under Article 32, not as a separate ground. In other words, the same control gap, optional MFA on consumer accounts, that might be tolerated for a low-risk service was found unacceptable for genetic data. UK fintech and health-tech founders should read this as a sliding scale: the more sensitive the data, the higher the security baseline the ICO will assume. Detection latency is the second axis. Five months of undetected credential-stuffing, followed by external notification via a Reddit post, told the ICO that the controller had no functional anomaly-detection or account-takeover monitoring. The regulator did not need to specify which product the company should have deployed; the failure was in the outcome, not the toolset. UK organisations holding special-category data should be able to evidence, on demand, login-anomaly alerting, credential-stuffing protections, and a documented internal escalation timeline measured in hours, not months. An AI risk assessment is also worth running for any consumer-facing platform now experimenting with model-based authentication or fraud scoring, since the ICO has signalled that opaque automated checks will not be a defence.

UK organisations with EU operations often assume the two regimes produce broadly similar fine outcomes for the same facts. The 2024-2026 record shows otherwise, and the difference matters for legal reserves and insurance attachment points. The ICO's approach is bilateral and settlement-led. The regulator typically issues a notice of intent with a provisional figure, opens dialogue with the controller or processor, and lands a settled penalty that reflects cooperation, mitigation and waived appeal rights. Capita went from £45m proposed to £14m settled. Advanced went from £6.09m to £3.07m. 23andMe went from £4.59m to £2.31m. The percentage discounts cluster around 50%, with the steepest discount, roughly 69%, going to the most cooperative respondent.

EU DPAs operate differently. Under the one-stop-shop, a lead supervisory authority coordinates with concerned authorities under Article 60 GDPR, and the European Data Protection Board can issue binding decisions under Article 65 where DPAs disagree. The result is longer timelines, higher headline fines for the largest cases, and less room for bilateral settlement. The aggregate quantum is often larger, but the path to a final number is slower and more contested. The practical consequence for UK organisations is twofold. First, voluntary settlement with the ICO is a live commercial option that can materially reduce exposure, but the cost is precedent: settled notices become published reasoning that the ICO will rely on in subsequent cases. Second, multinationals cannot run a single response playbook. A breach affecting UK and EU data subjects needs parallel tracks, one optimised for ICO settlement dynamics and one optimised for the EU one-stop-shop, with separate legal counsel and separate communication strategies. The Data (Use and Access) Act 2025 widens this gap by giving the ICO compulsory interview powers that do not exist in the same form across the EU. For boards modelling regulatory cost, the working assumption should be that UK fines settle at roughly half the provisional figure, EU fines land closer to the headline number, and the two should be reserved separately.

Pattern-matching across ICO enforcement notices, public speeches and the powers granted by the Data (Use and Access) Act 2025 produces a clear picture of where supervisory attention will sit through 2026. Article 32 security failures dominate. Every major 2025 UK GDPR fine cited the same set of root causes: missing MFA, slow containment, inadequate vulnerability management, weak network segmentation, incomplete security testing. The ICO has effectively codified these as the minimum bar without issuing a prescriptive standard. Expect 2026 enforcement to continue this pattern, with particular focus on processors and supply-chain suppliers following the Advanced precedent. PECR will be the second front. With penalties now at UK GDPR levels from 5 February 2026, cookie-consent, marketing-call and electronic-communications failings can produce multi-million-pound notices for the first time. UK e-commerce and ad-tech operators should be running a documented PECR audit covering consent flows, third-party tags and cookie inventories against the ICO's published guidance.

Automated decision-making and AI processing are the third area. The Data (Use and Access) Act relaxed solely-automated-decision-making rules outside special-category data, but added safeguards including a right to human review and transparency. The ICO has indicated it will scrutinise how those safeguards work in practice. Combined with the National Cyber Security Centre's Cyber Assessment Framework v4.0, released in 2026 with explicit AI cyber-risk coverage, the supervisory line on AI is firming up. Sector-adjacent regulators are converging. Ofcom issued its first Online Safety Act monetary penalties in 2025, £20,000 against 4Chan in September and £50,000 against an undressing site on 20 November 2025, with 21 active investigations and two further provisional sanctions in the pipeline. The Financial Conduct Authority's operational-resilience rules required firms to remain within impact tolerance from 31 March 2025, with CBEST and STAR-FS used as live supervisory tools. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, will extend Network and Information Systems coverage to managed service providers, data centres of 1MW or above, and certain critical suppliers, with tiered fines up to £17m or 4% global turnover plus £100,000 per day for ongoing contraventions. For UK CISOs the operating reality is that 2026 is the year multiple regulators will be examining the same incident through different lenses. Building one set of evidence that satisfies all of them is the cheapest path through.

Reading the 2024-2026 enforcement notices in sequence yields a control checklist that no single ICO guidance document sets out, but that the regulator has now established by example. The checklist below is derived directly from the published penalty notices.

The checklist is unforgiving but it is also bounded. None of the controls listed are novel; all are referenced in NCSC guidance and the Cyber Assessment Framework. The gap that produces fines is operational, not strategic, and that is the more uncomfortable finding. UK organisations are being penalised for not doing what they already know they should do. A 90-day workplan that addresses the checklist looks similar across most mid-market UK firms. Run an MFA coverage audit across every internet-facing surface and every administrative account. Measure current alert-to-containment time on a tabletop exercise and set a one-hour target for high-priority alerts. Refresh the vulnerability management programme against a documented SLA. Document network segmentation, particularly around special-category data stores. Verify login-anomaly monitoring on consumer-facing accounts. Confirm that 72-hour notification machinery, legal, communications, regulator contact list, is rehearsed. Test the supplier-security evidence pack against the questions the ICO actually asked Advanced. None of this is dramatic; all of it is what the regulator now treats as the floor. A scoped VAPT engagement against this list closes most of the visible gaps inside one quarter.

The 2024-2026 ICO enforcement record gives UK security leaders a rare gift: a precise, evidence-backed list of what to fix. The harder question is delivery capacity, particularly for mid-market firms running lean security teams against a regulatory agenda that now includes ICO, FCA, Ofcom, NCSC and a forthcoming Cyber Security and Resilience Bill regime. The sequence that consistently produces the best risk-reduction-per-pound is straightforward. Start with an Article 32 control gap assessment mapped directly to the failure types in the Capita, Advanced and 23andMe notices. Follow with targeted penetration testing on the surfaces the regulator has shown it cares about: internet-facing admin, customer authentication, processor-side integrations, special-category data stores. Wire continuous detection and containment into a 24x7 SOC capable of compressing alert-to-quarantine time below the threshold the ICO has now publicly criticised. Layer in attack-simulation exercises so the 72-hour breach-notification machinery is rehearsed rather than improvised. Where AI processing is now consequential, run a focused AI risk assessment against the Cyber Assessment Framework v4.0 outcomes. UK organisations frequently ask whether this can be delivered cost-effectively against UK day rates, particularly for the 24x7 monitoring layer. Certbar Security is a CERT-In empanelled VAPT, SOC and compliance partner based in India, working with UK clients across fintech, health-tech and e-commerce. The offshore-delivery model materially lowers the cost of continuous monitoring and audit-evidence production while time-zone coverage gives UK security teams overnight eyes on the alerts that the ICO has shown will be examined in any future enforcement notice. Our work maps directly to ICO Article 32 expectations, FCA operational-resilience scenarios, and the forthcoming Cyber Security and Resilience Bill incident-reporting timelines. For UK readers who want to map this against equivalent frameworks for India-linked processing, the same control logic underpins our DPDP Act compliance consulting and attack simulation work. The regulators differ; the underlying control checklist increasingly does not. The companies that come through 2026 without a penalty notice will be the ones that read the ICO's published reasoning literally and closed the named gaps before the next high-priority alert arrives. The £14m Capita settlement, the £3.07m Advanced fine and the £2.31m 23andMe penalty all turned on controls the ICO has not bothered to invent. They were already in NCSC guidance. The enforcement question for 2026 is whether your operational evidence matches what the regulator has already told you it expects.