Bridewell's analysis found that the average value of monetary penalties issued by the Information Commissioner's Office has risen 370% since 2023. The research indicates larger fines despite a lower volume of penalties.
The cybersecurity company examined published ICO enforcement records from 2023 to 2026 and found 58 monetary penalties worth more than £55 million were issued over that period. The number of penalties handed out between 2023 and 2025 fell by 36%, while the average value rose from just over £675,000 in 2023 to almost £3.2 million so far in 2026.
The figures suggest the regulator has shifted towards fewer but more expensive sanctions. Monetary penalties are one part of a wider enforcement toolkit that also includes enforcement notices, reprimands and prosecutions for serious breaches of data protection law.
In 2023, the ICO issued 22 penalties with a combined value of nearly £15 million. Most were below £250,000, but the total was heavily influenced by a £12.7 million fine for TikTok after the regulator found breaches including the unlawful use of children's personal data.
The following year saw a marked drop in total penalty value. In 2024, 17 penalties were issued worth about £2.5 million in total, with the largest being a £750,000 fine for the Police Service of Northern Ireland over the unauthorised disclosure of officer and staff details in response to a freedom of information request.
Penalty values rose again in 2025. The ICO issued 14 monetary penalties with a combined value of £21.7 million, the highest annual total in the period reviewed, and the average fine reached £1.6 million.
Among the larger cases that year was a £14 million penalty for Capita. The ICO found the outsourcing company had not responded quickly enough to a cyberattack that compromised the data of more than six million people and had failed to stop attackers moving through internal systems and reaching more sensitive data.
So far in 2026, five monetary penalties have already exceeded £15 million in total. The largest was a £14.4 million fine for Reddit over failures to properly verify users' ages, which the regulator said led to the unlawful processing of children's data.
Sector split
The data also showed a sharp difference between sectors in both the number and size of penalties. Marketing organisations received the highest number of monetary penalties since 2023, with 17 cases, but the average fine in that sector was £106,765.
By contrast, online technology and telecoms companies received only five penalties over the same period, but their average penalty was more than £5.7 million. That made the sector the most heavily fined on an average basis, according to the analysis.
The broader enforcement picture was more mixed. Alongside the 58 monetary penalties, Bridewell counted 49 enforcement notices, 65 reprimands and three prosecutions since 2023.
That pattern may indicate the ICO is reserving monetary penalties for more serious cases while using other interventions for less severe or first-time breaches. The higher-value sanctions that have been issued have often centred on children's privacy, security failures and the misuse of personal data at scale.
Chris Linnell, Associate Director of Data Privacy at Bridewell, commented on the findings and the direction of regulation.
"Although the rise in average fines is significant, it reflects a more targeted approach from the ICO rather than just an increase in enforcement activity. There's a strong emphasis emerging around areas like children's privacy, the safe use of AI and nuisance communications, and with expanded powers now available, organisations need to be prepared for a more proactive regulator," Linnell said.
He said the size of a penalty often depends on more than the incident itself.
"The key point many organisations overlook is that the size of a fine isn't driven by the incident alone. The ICO places a significant amount of weight on how well accountability is demonstrated. That means having controls that are genuinely embedded across people, processes and technology and being able to evidence that they are working effectively in practice," Linnell said.
Linnell also pointed to the need for organisations to understand what personal data they hold and the risks attached to it.
"It also highlights the importance of organisations really understanding the context of their data processing. Knowing what data you hold, why you hold it and the potential risks involved is essential, not just for compliance but for managing the impact on individuals if something does happen," Linnell said.
He added that public scrutiny of privacy issues is growing.
"At the same time, public awareness is increasing. High-profile fines are now part of the mainstream conversation, and privacy is becoming a more visible differentiator in the market. That's raising expectations across the board, meaning good data protection is no longer optional - it's a fundamental requirement," Linnell said.