Skip to main content
Yolist

GDPR Fine Risk Calculator 2025/26

Estimate your ICO GDPR fine risk and compliance exposure in 2025/26. Answer questions about your data processing scale, breach history, security measures and governance to receive a risk rating (low/medium/high/critical), the theoretical maximum fine applicable to your organisation and recommended priority actions.

Key Inputs

  • Annual global turnover (£)
  • Number of personal data records held
  • Processes special category data (health, biometric, criminal records, etc.)?
  • Previous ICO enforcement action or formal warning?
  • Data Protection Officer (DPO) appointed?
  • GDPR training completed across organisation?
  • Data breach in the last 2 years?

What You'll Get

  • Risk level (low / medium / high / critical)
  • Maximum theoretical fine (4% of global turnover or £17.5M — whichever is higher, for serious breaches)
  • Standard infringement maximum (2% of global turnover or £8.7M)
  • Example ICO enforcement actions for similar organisations
  • Priority recommended actions to reduce risk

Important Notes — 2025/26 Rates & Caveats

UK GDPR maximum fines (Data Protection Act 2018, as updated): serious infringements (Articles 5, 6, 9, 12-22) — up to £17.5M or 4% of annual global turnover, whichever is higher; standard infringements (Articles 25-39, 42-43) — up to £8.7M or 2% of global turnover. The ICO primarily focuses enforcement on large organisations; SMEs with first violations typically receive warnings or improvement notices. However, serious breaches involving special category data (health data, biometric data) can result in significant fines even for smaller organisations.

Frequently Asked Questions

What is the maximum GDPR fine in the UK?

The maximum UK GDPR fine is £17.5 million or 4% of annual global turnover — whichever is higher — for the most serious infringements (such as failing to have a lawful basis for processing, inadequate security leading to a large data breach, or systematic violation of data subject rights). Lower-tier infringements carry a maximum of £8.7 million or 2% of global turnover. The ICO has the power to issue these fines, and in practice has issued fines ranging from a few thousand pounds to tens of millions.

Is the ICO likely to fine a small business?

The ICO focuses its major enforcement action on large organisations that affect many people or that show systematic non-compliance. Small businesses experiencing a first incident are more likely to receive a reprimand or improvement notice than a fine. However, serious breaches — particularly those involving health or financial data, or those caused by poor security that could have been prevented — can result in fines for organisations of any size. The ICO also considers the size of the organisation when calculating fine amounts.

What triggers an ICO investigation?

The three main triggers for an ICO investigation are: (1) a self-reported data breach — organisations with 250 or more employees, or where a breach poses significant risk to individuals, must report to the ICO within 72 hours; (2) a complaint from an individual whose rights were not respected (subject access requests ignored, data used without consent, etc.); and (3) a proactive sector investigation — the ICO periodically investigates specific sectors it has identified as higher risk, such as direct marketing, healthcare and financial services.

Related Calculators

Cyber Insurance Cost Calculator

ICO Data Protection Fee Calculator

Business Insurance Cost Estimator

Use the interactive GDPR Fine Risk Calculator

Run real numbers instantly — free, no sign-up required.

Go to Legal & Compliance Calculators