The UK Information Commissioner's Office publishes its enforcement actions on a rolling basis. We scraped and deduplicated the full public listing, covering 22 January 2022 to 20 February 2026, and found 171 unique enforcement actions against named organisations.
The breakdown by action type is not surprising on its own. What is surprising is how differently public and private sector organisations are treated.
What 171 enforcement actions look like
| Enforcement Type | Count | Share |
|---|---|---|
| Reprimands | 95 | 55.6% |
| Monetary penalties | 36 | 21.1% |
| Enforcement notices | 31 | 18.1% |
| Information notices | 6 | 3.5% |
| Prosecutions | 3 | 1.8% |
More than half of all actions are reprimands. The ICO's most common enforcement response is, in effect, a formal letter of concern. But this average masks a significant split in who receives what.
Public sector: 80% reprimands
Of the 64 enforcement actions against public sector bodies (police forces, councils, central government departments), 51 were reprimands. That is 79.7%.
Only two monetary penalties were issued to public bodies across the entire four-year period: £750,000 to the Police Service of Northern Ireland and £350,000 to the Ministry of Defence. Both organisations had previously received reprimands.
| Public Sector Action Type | Count | Share |
|---|---|---|
| Reprimands | 51 | 79.7% |
| Enforcement notices | 6 | 9.4% |
| Information notices | 5 | 7.8% |
| Monetary penalties | 2 | 3.1% |
The contrast with the private sector is stark.
Private sector: fines first
Of the 66 enforcement actions against private sector organisations, 28 were monetary penalties (42.4%). A further 20 were enforcement notices, which carry legal obligations to change behaviour. Only 18 were reprimands.
| Private Sector Action Type | Count | Share |
|---|---|---|
| Monetary penalties | 28 | 42.4% |
| Enforcement notices | 20 | 30.3% |
| Reprimands | 18 | 27.3% |
A public body that mishandles data has an 80% chance of receiving a reprimand. A private company faces a 42% chance of a fine and a 30% chance of an enforcement notice. The same regulator, different playbooks.
£17.6 million in fines, but one case dominates
Across 30 actions where fine amounts were parseable from the ICO's published descriptions, the total was £17,627,373. However, a single case accounts for 72% of that total.
| Organisation | Fine | Date | Sector |
|---|---|---|---|
| TikTok | £12,700,000 | 15 May 2023 | Online technology |
| LastPass UK Ltd | £1,228,283 | 20 Nov 2025 | Online technology |
| Police Service of Northern Ireland | £750,000 | 3 Oct 2024 | Criminal justice |
| Ministry of Defence | £350,000 | 26 Feb 2024 | Central government |
| MediaLab.AI, Inc. | £247,590 | 4 Feb 2026 | Online technology |
| Bharat Singh Chand | £200,000 | 16 Sep 2025 | Unknown |
| ESL Consultancy Services Ltd | £200,000 | 5 Dec 2024 | Finance |
| HelloFresh (Grocery Delivery E-Services UK) | £140,000 | 12 Jan 2024 | Retail |
Excluding TikTok, total fines across four years were £4,927,373. The median monetary penalty for private companies is modest. The ICO's financial bite, outside of headline cases, is limited.
13 organisations have appeared more than once
We resolved entity names and found 13 organisations with multiple enforcement actions. Most are public bodies receiving repeated reprimands. Two cases show a clear escalation from reprimand to fine.
| Organisation | Actions | Progression |
|---|---|---|
| Home Secretary | 3 | Reprimand (Aug 2022) to Reprimand (Sep 2022) to Reprimand (Oct 2022) |
| Ministry of Justice | 3 | Reprimand (Aug 2022) to Reprimand (Apr 2023) to Reprimand (Sep 2023) |
| Police Service of Northern Ireland | 2 | Reprimand (Oct 2023) to £750,000 fine (Oct 2024) |
| Ministry of Defence | 2 | Reprimand (Jul 2022) to £350,000 fine (Feb 2024) |
| Crown Prosecution Service | 2 | Reprimand (Aug 2022) to Enforcement notice (Jan 2024) |
| South Wales Police | 2 | Reprimand (Aug 2022) to Enforcement notice (Oct 2025) |
| Home Office | 2 | Enforcement notice (Mar 2024) to Information notice (Jan 2026) |
| Greater Manchester Police | 2 | Reprimand (Mar 2025) to Reprimand (May 2025) |
| Kent Police | 2 | Reprimand (Sep 2022) to Reprimand (Mar 2024) |
| London Borough of Hackney | 2 | Reprimand (Sep 2022) to Reprimand (Jul 2024) |
| London Borough of Lambeth | 2 | Reprimand (Sep 2022) to Information notice (Jan 2026) |
| London Borough of Lewisham | 2 | Enforcement notice (Mar 2023) to Reprimand (Aug 2023) |
| Cover Appliance Ltd | 2 | Enforcement notice (Sep 2023) to Fine (Sep 2023) |
The PSNI and MoD cases are notable: both received reprimands that were followed within 12 to 19 months by six-figure fines. A reprimand does not mean the matter is closed.
2023 was peak enforcement, then volumes fell
| Year | Actions | Note |
|---|---|---|
| 2022 | 32 | Partial year (from 22 January) |
| 2023 | 63 | Peak year |
| 2024 | 39 | 38% drop from 2023 |
| 2025 | 28 | 28% drop from 2024 |
| 2026 | 9 | Partial year (to 20 February) |
Enforcement volume roughly halved between 2023 and 2025. Whether this reflects reduced regulatory capacity, a shift toward fewer but larger cases, or improved compliance across the board is not something this dataset alone can answer.
Sectors under pressure
| Sector | Actions | Most Common Type |
|---|---|---|
| Criminal justice (police) | 24 | Reprimands |
| Local government | 23 | Reprimands |
| Health | 17 | Reprimands |
| Marketing | 16 | Monetary penalties |
| Central government | 14 | Reprimands |
| General business | 13 | Monetary penalties |
| Finance, insurance, credit | 11 | Monetary penalties |
| Online technology and telecoms | 6 | Monetary penalties |
Police forces and councils account for the highest absolute volumes but receive almost exclusively reprimands. Marketing and general business organisations are far more likely to receive fines. The technology sector has fewer actions but the highest individual penalties (TikTok, LastPass, MediaLab).
What this means in practice
If you sell to the UK public sector: ICO enforcement data is a map of which departments and police forces have recent data protection issues. A reprimand often indicates an active remediation programme and budget allocation for compliance tooling. The Home Office, MoJ, and multiple police forces have received repeated actions.
If you sell to UK private companies: A monetary penalty or enforcement notice is a strong signal that the organisation is under regulatory pressure and actively reviewing its data protection posture. These organisations have board-level awareness of the problem.
If you are assessing third-party risk: Repeat enforcement actions against the same entity are a leading indicator. The PSNI went from reprimand to £750,000 fine within 12 months. Organisations appearing in this dataset more than once warrant closer scrutiny.
Method note
Data source: ICO public enforcement page at ico.org.uk/action-weve-taken/enforcement/, scraped using a headless browser (the ICO page is JavaScript-rendered and does not offer an API or structured data feed).
Scope: All paginated results returned by the ICO enforcement page as of 20 February 2026. This returned 536 raw rows across 50 pages, which deduplicated to 171 unique enforcement actions (based on organisation name and date). The earliest action in the dataset is 22 January 2022.
Sector classification: Sectors are as published by the ICO. We did not reclassify any entries. Twenty-three actions (13.5%) had no sector listed. The public/private split was determined by grouping "Criminal justice", "Local government", "Central government", and "Education and childcare" as public sector.
Fine amounts: Parsed from the ICO's description text using pattern matching for sterling amounts. Of 36 monetary penalty actions, 30 had amounts parseable from the description. Six monetary penalties did not include parseable amounts in the published summary.
Entity resolution: Repeat offender analysis was based on resolved entity records, not raw string matching. This reduces but does not eliminate the possibility of false merges or missed matches for organisations that appear under different legal names.
Caveats: This dataset may not represent the complete history of ICO enforcement; it represents what the ICO's website returned through paginated browsing as of the scrape date. Earlier actions may exist that are no longer paginated. The year 2022 and 2026 are partial years (starting January 22 and ending February 20, respectively). The decline in enforcement volumes could reflect pagination limits rather than a true trend.
What we did not include in this article
This analysis used the ICO's public enforcement summaries. Internally, we went further: we resolved each of the 171 organisations against UK Companies House records, pulled active directors and officers, mapped corporate ownership hierarchies, and cross-referenced the full list against 7,600+ ransomware victim reports and breach disclosures from US federal and state regulators.
Some of these organisations appear in more than one dataset. Some share directors with other entities that have their own enforcement history. That second-order analysis is where the pattern gets more interesting, but it is not something we can reproduce from a single public page.
If you work in sales, risk, or compliance and want to see what that combined picture looks like for your target accounts, request a demo.