Information Commissioner's Office (ICO) Enforcement Trends 2025

ICO enforcement powers

In this update, we provide an overview of the ICO’s enforcement actions from the last couple of months. We spotlight noteworthy trends across both private and public sector organisations alike, emphasising why this is significant for your organisation. We also provide brief comments on the importance of safeguarding children’s data based on the ICO’s recent initiatives.

The ICO has several enforcement powers at its disposal to ensure that organisations meet their data protection obligations, which include:

  • Enforcement Notices – requiring organisations either to take specified steps or to cease a particular activity to comply with their data protection obligations.
  • Monetary penalties – penalties which could amount to up to £17.5m or 4% of global turnover (whichever is greater).
  • Issuing reprimands – the ICO issues reprimands where it believes that an organisation has not complied with the requirements of the Data Protection Act 2018 (accompanied by a list of reasons for the decision and actions that an organisation should take).
  • Prosecutions – whereby individuals may be personally liable for accessing or using personal data unlawfully.

A summary of the ICO’s decisions/enforcement action

Between July 2024 and February 2025, the ICO took a total of 25 actions, making use of various enforcement powers at its disposal. Some of the notable trends during this period include:

In October 2024, the ICO reprimanded a law firm following a data breach where an unknown threat actor gained unauthorised access to a secure cloud-based server using legitimate credentials. The compromised data, which included sensitive personal information, was later published on the dark web, affecting 8,234 UK data subjects - 863 of whom were deemed to be at high risk due to the nature of the data compromised. The breach resulted from inadequate security measures, such as the lack of multi-factor authentication. In view of this, the reprimand emphasises the need for organisations to have appropriate technical and organisational measures in place to protect personal data.

Following several complaints about unsolicited phone calls regarding life insurance and later life planning, the ICO launched an investigation that resulted in fines totalling £290,000 and enforcement notices for 2 finance insurance and credit organisations. One of the organisations made 4,376,037 calls, using over 1,000 different telephone numbers to conceal their outbound phone number. The other organisation failed to provide evidence that anyone called had consented to receive marketing calls. This enforcement action highlights the ICO’s commitment to protecting individuals from unwanted marketing and ensuring that their right to opt out of such communications is respected.

In December 2024, the ICO reprimanded a Trust for failing to respond to 32% of subject access requests (SARs) within the statutory one-month timeframe. This failure was due to inadequate systems for logging and managing SARs, as well as challenges in ensuring the accuracy and completeness of the data required to fulfil the requests. The reprimand highlights the need for healthcare organisations to maintain comprehensive SAR logs to track the nature and status of requests to ensure timely responses within the statutory period. It also emphasises the importance of having a well-managed Record of Processing Activity (RoPA), which enables organisations to accurately document organisation-wide data processing activities and to support in identifying where data subject information is held to respond to DSAR requests received. 

The ICO's enforcement actions act as a cautionary signal about the potential consequences of non-compliance. Based on some of the recent ICO areas of focus, highlighted in this article, it’s worth considering the following within your own organisation:

  • Awareness - is data protection awareness training embedded throughout the employee lifecycle, to ensure that employees are aware of their data protection obligations.
  • Accountability - this remains one of the core principles of data protection. Are you truly embracing the GDPR’s accountability principle, ensuring that you not only follow regulations but actively demonstrate and document your commitment to responsible data handling?
  • Engaged in marketing activity - Stop! Can you provide the following evidence:
    1. Consent from the recipient, including an audit trail of the time and date consent was received.
    2. That any consent statement provided to data subjects was written in a clear and plain language for all to understand.
    3. That each data processing activity is clearly documented, and data subjects have been given the opportunity to positively opt in and opt out of any future marketing correspondence.

In February 2025, the ICO released guidance on ‘Employment Practices and Data Protection: Keeping Employment Records’, outlining employer obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The guidance sets out the types of records that should be kept, including personal, sickness, disciplinary, and training records, while emphasising compliance with key data protection principles such as fairness, lawfulness, and transparency. It also highlights the importance of having a lawful basis for processing employee data, the need for clear retention and deletion policies, and the additional safeguards required when handling special category or criminal offence data.

Furthermore, the guidance provides best practices for securely managing and sharing employment records, particularly when working with third parties such as payroll providers. Employers can also access practical resources, including checklists, to support in implementing best practices for data protection.

A summary of the ICO’s decisions/enforcement action

Between August 2023 and January 2024, the ICO took a total of 34 actions, making use of various enforcement powers at its disposal. Some of the notable trends during this period include:

The ICO has yet again pursued criminal prosecution against an individual who was found guilty of a serious breach. This individual was fined for unlawfully accessing social service records, not recognising that there are consequences associated with accessing records without proper authority or justification.

The ICO has increasingly handed down enforcement actions to both public and private sector organisations to address regulatory violations. In the last quarter, the ICO issued a total of 13 reprimands.

We note that, rather than imposing monetary fines, the ICO instead uses its other powers for public sector organisations. This is in line with the ICO's revised approach to public sector enforcement which seeks to avoid burdening public resources through fines. Earlier last year, the ICO clarified how organisations across public and private sectors can improve their data protection practices in the 'Lessons Learned from Reprimands' update. In this release, the ICO advised that organisations: 

In the last quarter, the ICO handed down enforcement notices and monetary penalties to 23 organisations that unlawfully sent over 79 million spam emails, 6.6 million direct messages and made over 1.8 million direct marketing calls (collectively), out of which almost 21,000 calls were made to CTPS and TPS registered numbers. This highlighted that organisations do not identify, plan, collect, nor respect people's preferences and continue to carry out direct marketing against the ICO's guidance.

The ICO conducted a total of 15 audits between August 2023 and January 2024. The audits concerned businesses operating in different sectors, including health, finance insurance and credit as well as central and local government agencies. Some of the themes across these audits included, amongst others, poor records management/the absence of a record of processing activities, insufficient data protection training/awareness, fair processing notices that do not contain all the requirements of Article 13 of the UK GDPR and poor data breach management and reporting.

The most significant fine during this period was issued to an organisation in the retail and manufacturing sector for sending 79 million spam emails and 1 million spam test messages over a period of 7 months. A fine of £140,000 was given to the organisation as the opt in statement did not explicitly state that personal data would be used for marketing purposes. The investigation was launched into the organisation after over 15,000 complaints were received. 

As can be seen in this example, direct marketing continues to remain an area of focus for the UK regulator, which has developed guidance on the matter. In the past, we prepared a short article discussing the ICO’s updated approach to direct marketing communications, which you can find here.

The ICO’s enforcement actions act as a cautionary signal about the potential consequences of non-compliance. Based on some of the recent ICO areas of focus, highlighted in this article, it’s worth considering the following within your own organisation:

  • Awareness – is data protection awareness training embedded throughout the employee lifecycle, to ensure that employees are aware of their data protection obligations.
  • Record of processing activities: do you carry out a regular, comprehensive data mapping exercise and maintain an up-to-date record of processing activities?
  • Policies and procedures: have you developed the necessary policies and procedures to support your data protection programme, including documents such as a data breach procedure, a data protection impact assessment procedure and a data subject rights’ procedure?
  • Accountability – this remains one of the core principles of data protection. Are you truly embracing the GDPR’s accountability principle, ensuring that you not only follow regulations but actively demonstrate and document your commitment to responsible data handling?
  • Engaged in marketing activity:Stop! Can you provide the following evidence:
    • Consent from the recipient, including an audit trail of time and date consent was received.
    • That consent statement was written in a clear and plain language for all to understand. 
    • That each data processing activity is clearly documented, and data subjects have been given the opportunity to positively opt in and opt out of any future marketing correspondence. 

If your organisation is unable to demonstrate the above, it is time to rethink your current approach to data protection compliance. It has been well-publicised over the last couple of years that non-compliance with data protection legislation can result in significant financial sanctions. There is, however, also a non-monetary implication such as the impact on the reputation and the loss of consumer trust. In an ever-changing privacy landscape, it is important to make sure your organisation remains aligned with the existing laws and the ICO’s most recent guidance. 

Between April 2023 and August 2023, the ICO has taken a total of 31 actions, making use of all the tools at its disposal. Some of the notable trends in the last quarter include:

The ICO has not hesitated to pursue criminal prosecutions against individuals found guilty of serious data protection breaches. An individual was fined and ordered to pay back monies for illegally obtaining personal data "to check if customers of a high street bank could repay their debts". This prosecution serves as a reminder that legal consequences can extend to individuals for not only mishandling personal data but also impersonating data subjects to unlawfully obtain their personal data. 

The public sector has not been immune to ICO enforcement actions. The ICO has increasingly resorted to issuing reprimands (rather than imposing monetary fines). This is in line with its revised approach, whereby the ICO seeks to avoid unduly burdening public resources through fines and instead encourages public sector bodies to improve data protection practices. In the last quarter, the ICO has issued a total of 16 reprimands to bodies in the public sector.

Direct marketing, including emails and calls, continues to be an area of significant concern, with a notable increase in enforcement actions. The ICO handed down enforcement notices, and monetary penalties to 7 organisations in the last quarter for collectively making unsolicited calls to over 986,000 individuals/businesses registered with the Telephone Preference Service (TPS) (TPS) and sending over 39 million emails and 107 million texts to individuals. 

Audits provide an assessment of whether an organisation is following good data protection practices and provides clarity on whether that organisation can expect closer scrutiny of their practices, including data handling, data governance, training, and the use of technical and organisational measures. Between April 2023 and August 2023, the ICO has carried out 14 audits (including follow-up audits) across health, criminal justice, charitable and voluntary, local government, and education and childcare sectors. 

A significant fine was issued to a social media company for several breaches of data protection law, including failing to process personal data in a lawful manner. As a result of the unlawful processing of over one million children under the age of 13, the company was fined £12.7m. The UK's Information Commissioner stated the fine reflects the serious impact the company's failure may have had, that there are laws in place to protect children in a digital world and the social media company failed to abide by the laws. 

The ICO’s enforcement actions act as a cautionary signal about the potential consequences of non-compliance. Direct marketing and specifically marketing to vulnerable people remains a central concern for the ICO, and this emphasis is expected to persist, especially in light of recent regulatory guidance. Based on some of the recent ICO areas of focus, highlighted in this article, it is worth considering the following within your own organisation:

  • Engaged in marketing activity: Stop! Can you provide evidence of consent from the recipients? Marketing remains an area of concern/focus for the ICO and the regulator have developed new guidance on sending bulk communications via email.
  • Awareness – is data protection awareness training embedded throughout the employee lifecycle, to ensure that employees are aware of their obligations.
  • Accountability - finally, it is worth noting that all enforcement action is published via the ICO website, with some cases picked up by media outlets. To reduce the risks associated with reputational damage as a result of data breach or incident, consider whether you are comfortable that your organisation is in a ‘defensible’ position and can evidence continued compliance with the requirements of the UK GDPR?

Compliance with data protection law is not optional, it is a legal requirement and failure to adhere can lead to enforcement actions. 

The ICO’s enforcement actions during the last quarter emphasised the continued importance of data protection and privacy. Organisations must remain vigilant in complying with applicable data protection regulation to avoid prosecution, fines, and reputational damage. 

Between October 2022 and March 2023, the ICO has taken a total of 32 actions, making use of all the tools at its disposal. Some of the notable trends in the last six months include:

Between October 2022 and March 2023, there has been an increased use of reprimands, instead of financial penalties across Health and Central government. This reflects the Information Commissioner’s revised approach to public sector enforcement, with the aim of enabling the Commissioner to exercise discretion to reduce the impact of fines on the public sector and increase engagement. The pilot has been running since June 2022 and will continue until June 2024.

The ICO handed down a total of £435,000 in fines to 5 organisations towards the end of 2022, for collectively calling over 500,000 people registered with the Telephone Preference Service (TPS) and attempting to make them sign up for white goods insurance, such as washing machine, kitchen appliance or boiler cover. For context, TPS is the UK's official 'Do Not Call' register for landline and mobile phone numbers whose users have indicated that they do not wish to receive sales and marketing telephone calls.

A further two organisations were fined £270,000 in December 2022 and February 2023 for collectively transmitting over 4 million direct marketing emails and text messages, crucially without the consent of the individuals.

The ICO also prosecuted two individuals, who were both fined and ordered to pay court costs and a victim surcharge for illegally accessing records (and in one instance, an NHS 111 employee accessing sensitive patient health data). This highlights that the ICO will take action against individuals operating independently when personal records are accessed unlawfully and jeopardise trust between a service and its users.

Between October 2022 and March 2023, the ICO has also carried out 20 audits (including follow-up audits) across Health, Criminal Justice, Charitable and Voluntary, Central Government, General Business and Education and Childcare sectors. The audits have the aim of providing the ICO and the relevant organisation with evidence of compliance with data protection legislation.

As is usually the case, information security - one of the key principles of the Data Protection Act 2018 - has also come into the spotlight. In this respect, it's worth noting that a significant fine amounting to £4.4m was handed to a Retail and Manufacturing organisation for failing to protect personal data which rendered the organisation vulnerable to a cyber-attack and affected the personal data of 113,000 employees.

The ICO’s enforcement action invariably sends ripples across organisations located in the UK, alerting them of the regulator's current focus and serving as a warning for the consequences of non-compliance. Indeed, direct marketing continues to be one of the focal points for the ICO, and we expect this trend to continue in the future, especially in light of the regulator's recent guidance on direct marketing using electronic mail.

Moreover, the cases concerning individual prosecutions should serve as cautionary tale for individuals attempting to access personal data in the course of employment without any business need to do so. Naturally, this should also form an important point of concern for organisations as such incidents could potentially jeopardise the trust and confidence of data subjects toward the organisation, especially where the nature of the relationship is based on these considerations.

Finally, with the risk of a potential audit by the ICO looming over UK-based organisations, the ability to evidence continued compliance with data protection obligations (i.e., demonstrating accountability) should remain an important focus of any compliance efforts.

Based on some of the recent ICO areas of focus, highlighted in this article, it’s worth considering the following within your own organisation:

  • If you are engaging in marketing activity - Are you comfortable that you hold (and can evidence) consent from the recipient?
  • Information security is a key principle or the UK GDPR, as set out in Article 5 - Are you comfortable that personal data is processed with appropriate security measures to protect personal data? Has this recently been stress tested?
  • Awareness - Is data protection awareness training embedded throughout the employee lifecycle, to ensure that employees are aware of their UK GDPR compliance obligations.
  • Accountability - Finally, it's worth noting that all enforcement action is published via the ICO website, with some cases picked up by media outlets. To reduce the risks associated with reputational damage as a result of data breach or incident, consider whether you are comfortable that your organisation is in a 'defensible' position and can evidence continued compliance with the requirements of the UK GDPR?

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.

SUBSCRIBE: DATA PRIVACY UPDATES

Related resources

Subscribe: Data Privacy Updates

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.