The biggest ICO fines for data protection breaches and GDPR contraventions

We look at the organisations that have been hit the hardest for breaching information rights in the UK


The risks of data breaches got far higher on 25 March 2018, when the General Data Protection Regulation was introduced, raising the maximum penalty for contraventions to up to €20m (£17.5m) or 4 percent of global turnover, whichever is the greater.

In the UK, the Information Commissioner's Office (ICO) has dished out numerous six-figure fines but none have yet exceeded the £500,000 maximum penalty that was the maximum under the Data Protection Act 1998. It has, however, served an enforcement notice to AggregateIQ, a Canadian company that supplied software to Cambridge Analytica. This was the first formal information action under GDPR and the UK Data Protection Act 2018 that will mirror the EU regulation in post-Brexit Britain.

The notice warned that if AggregateIQ failed to cease its processing of personal data of UK or EU citizens for the purposes of data analytics, political campaigning or advertising, it could face an eye-popping fine under the terms of GDPR.

We'll be keeping an eye on whether they or anyone else receives the first penalty for a GDPR breach in the UK. In the meantime, here are the biggest fines that the ICO has issued so far.

Read next: How businesses have prepared for GDPR