What are GDPR fines for small businesses UK?
The ICO can fine businesses up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious UK GDPR breaches. For less serious breaches, the cap is £8.7 million or 2% of turnover. In practice, small business fines are much lower, but they do happen.
Full answer
The UK GDPR (retained from the EU after Brexit) gives the Information Commissioner's Office (ICO) significant fining powers. But it's important to understand how these actually apply to small businesses.
- Tier 1 (serious breaches, e.g. unlawful processing, no consent): up to £17.5m or 4% of global annual turnover
- Tier 2 (less serious, e.g. technical failures): up to £8.7m or 2% of global annual turnover
In practice for small businesses: The ICO takes a proportionate approach. The largest fines go to large organisations. However, small businesses are not immune — the ICO has fined businesses with turnover well under £1m.
- A small company fined £4,400 for sending unsolicited marketing emails
- A taxi firm fined £8,500 for inadequate security leading to a breach
- A GP surgery fined for leaving patient records accessible
- A data breach reported to the ICO
- A complaint from an individual
- A subject access request handled badly
- Unsolicited marketing (PECR rules)
- Have a simple data breach response plan
- Know what personal data you hold and why
- Use a data processing register (even a simple spreadsheet)
- Train staff on basic data protection
- Respond to subject access requests within 1 month
The ICO's fine isn't the only risk — reputational damage and loss of customer trust often costs more than the penalty itself.
Get compliance answers specific to your business
Alice monitors your sector, alerts you to changes, and answers your questions — inside ComplianceAlert.
Related questions
How long do I have to report a data breach UK?
Under UK GDPR, you must report a personal data breach to the ICO within 72 hours of becoming aware of it — if it's likely to result in a risk to people's rights and freedoms. The clock starts when you (as an organisation) become aware, not just when it's confirmed.
How long do I have to respond to a subject access request?
Under UK GDPR, you have 1 calendar month from receipt of a valid subject access request (SAR) to respond. You can extend this by a further 2 months for complex or numerous requests — but you must tell the individual within the first month that you're extending and why.
Do I need to give an employment contract from day one?
Yes. Since April 6, 2020, employers must provide a written statement of employment particulars on or before the employee's first day of work. This replaced the old 2-month rule. Failure to do so is automatically an unlawful act.