Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free
Back to Blog
UK GDPR 10 Jan 2026 10 min read

ICO Enforcement in 2025: What UK Organisations Need to Know

The ICO issued significant fines in 2025, with marketing opt-outs and cyber security failures the leading causes. We analyse the enforcement trends and what your organisation should prioritise.

FC

Folelse Team

Folelse

2025 was a significant year for ICO enforcement. The regulator continued its focus on direct marketing violations and cyber security failures, while also turning its attention to more complex processing activities including AI decision-making and children's data. Understanding the enforcement landscape helps organisations prioritise their compliance investment.

The ICO's Enforcement Powers Under UK GDPR

The Information Commissioner's Office can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements under UK GDPR. For less serious infringements — such as failures to cooperate or provide information — the upper limit is £8.7 million or 2% of global turnover.

Beyond fines, the ICO can also issue: reprimands (a formal statement of concern, published on the ICO website), enforcement notices (legally binding orders to take specific action or stop processing), and information notices (requiring organisations to provide information to the ICO). The reputational impact of a published reprimand should not be underestimated — even where no fine is issued.

Enforcement Trend 1: Direct Marketing

Unlawful direct marketing — particularly cold calling and unsolicited email — remains the most common source of ICO enforcement action. Under PECR (the Privacy and Electronic Communications Regulations 2003), organisations must have prior consent before sending marketing emails or texts, and must not make live marketing calls to numbers registered with the Telephone Preference Service (TPS).

The ICO has been clear that buying marketing lists does not transfer the consent burden. If you purchase a list and contact individuals who haven't consented to hear from your organisation, you are likely in breach of PECR regardless of the list provider's claims about consent.

Enforcement Trend 2: Cyber Security Failures

Article 32 of UK GDPR requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The ICO has consistently found that organisations experiencing ransomware attacks or data breaches had failed to implement basic security measures, including:

  • Multi-factor authentication on internet-facing systems and remote access
  • Regular patching of known vulnerabilities
  • Staff training on phishing and social engineering
  • Network segmentation to limit the blast radius of a breach
  • Regular backup testing to ensure recovery is possible

The ICO does not expect organisations to be impenetrable — it expects them to have taken reasonable and proportionate steps given the nature of the data they hold. A GP practice holding sensitive health data will be held to a higher standard than a sole trader with a simple contact database.

Enforcement Trend 3: Children's Data

The ICO's Children's Code (the Age Appropriate Design Code) came into effect in 2021, and enforcement action against online services likely to be accessed by children ramped up significantly in 2024 and 2025. Organisations operating apps, websites, or online services that children may use must:

  • Apply the highest privacy settings by default for child users
  • Not use nudge techniques to encourage children to provide unnecessary personal data
  • Not profile children for targeted advertising unless strictly necessary
  • Conduct a DPIA covering the risks to children's privacy before launching the service

What Should Your Organisation Prioritise?

Based on the 2025 enforcement picture, the following areas represent the highest priority for most UK organisations:

  • Marketing consent: Audit your marketing lists and consent records. Implement double opt-in processes and maintain suppression lists for those who have opted out.
  • Cyber security basics: Ensure MFA is enabled on all internet-facing systems. Keep a patching log. Train staff on phishing.
  • Breach response: Have a documented breach response process. Know your 72-hour ICO notification threshold. Appoint a named individual responsible for breach decisions.
  • Third-party risk: Review your supplier agreements. Ensure DPAs are in place with all data processors.
  • Privacy notices: Review your privacy notices for accuracy and plain language. Ensure they reflect what you actually do with personal data.

Folelse's compliance dashboard gives you a real-time view of your organisation's risk across all these areas, with automated alerts when action is needed.

Start free trial

More from the blog

View all
UK GDPR 18 Nov 2025

Supplier Due Diligence: Are Your Third-Party DPAs Up to Scratch?

UK GDPR Article 28 requires a written contract with every data processor. Yet many organisations still rely on out-of-date DPAs or haven't reviewed them since 2018. Here's how to audit and remediate your supplier register.

Read more
UK GDPR 5 Nov 2025

Building a ROPA That Survives an ICO Audit

The Record of Processing Activities is the backbone of UK GDPR compliance. An ICO investigation will go straight to your ROPA. We share what inspectors look for and how to build a register that withstands scrutiny.

Read more