The Information Commissioner's Office (ICO) has one job: to uphold information rights in the public interest. When businesses fail to protect personal data, the ICO has the power to issue fines of up to £17.5 million under the UK GDPR, and up to £500,000 under PECR for cookie and electronic communications violations.
The cases below are composites based on real ICO enforcement patterns. The specific details have been anonymised, but every scenario reflects actual enforcement actions taken against UK organisations. Each one carries lessons that apply to any business that collects or processes personal data through its website.
Case 1: E-commerce company fined for storing payment data unencrypted
What happened: A mid-sized online retailer with 50,000 customers suffered a database breach. When investigators examined the database, they found that full payment card details — card numbers, expiry dates, and CVVs — were being stored in plaintext. The company had built a custom checkout system that saved every card detail to make "one-click" purchasing faster for returning customers.
The fine: £120,000 plus mandatory PCI DSS compliance costs exceeding £80,000.
What they did wrong: Storing CVVs is never permitted under any circumstances — not by the GDPR, not by PCI DSS, not by any card processor's rules. Card numbers should never be stored in plaintext. The company had no encryption at all: no encryption at rest, no encryption in transit for internal database communications, and no tokenisation of card data.
What they should have done: Never store full card details. Use a payment processor that handles card data on your behalf through tokenisation. If you absolutely must store card numbers (and you almost never should), they must be encrypted to PCI DSS standards. Using a hosted payment page or a service like Stripe removes this risk entirely.
Case 2: Marketing agency fined for sending emails without consent
What happened: A digital marketing agency purchased a list of 200,000 email addresses and used them to send promotional emails on behalf of several clients. Recipients had never heard of the agency and had not consented to receive marketing emails from them. Over 400 complaints were filed with the ICO.
The fine: £70,000 plus enforcement notice requiring deletion of all purchased lists.
What they did wrong: Under PECR, you can only send direct marketing emails to individuals who have given their specific consent, or to existing customers about similar products (the "soft opt-in" exception). Buying email lists does not transfer consent. The agency had no consent records, no evidence that any recipient had agreed to receive emails from them, and no functioning unsubscribe mechanism.
What they should have done: Build email lists organically through explicit opt-in forms on their own website. Keep records of when and how each subscriber consented. Always include a clear unsubscribe link. Never assume that consent given to another organisation transfers to you.
Case 3: Healthcare practice fined for leaving patient records exposed
What happened: A private healthcare practice had set up an online patient portal for booking appointments and accessing test results. The portal's database was misconfigured and accessible from the open internet without authentication. A security researcher discovered the exposure and reported it. The database contained 35,000 patient records including names, dates of birth, addresses, phone numbers, NHS numbers, and medical notes.
The fine: £200,000 plus mandatory security audit and ongoing compliance monitoring.
What they did wrong: The database had no authentication requirement for external access. It was not encrypted. The practice had conducted no security testing before launching the portal, had no intrusion detection system, and had not performed the Data Protection Impact Assessment (DPIA) required for processing health data under the GDPR. Health data is classified as special category data and requires the highest level of protection.
What they should have done: Conduct a DPIA before processing health data through any new system. Ensure all databases require authentication, use encryption at rest and in transit, and are not directly accessible from the public internet. Run penetration testing before launching any system that handles medical records.
Case 4: Online retailer fined for cookie consent failures
What happened: An online fashion retailer's website was setting 47 tracking cookies and three third-party advertising pixels before any consent banner appeared. When the banner did appear, the only prominent option was "Accept All." Rejecting cookies required clicking through to a second page, then a third, then manually unchecking each category individually.
The fine: £45,000 plus enforcement notice requiring compliant cookie implementation.
What they did wrong: The ICO's guidance is clear: non-essential cookies must not be set before the user consents. The "reject" option must be as easy to select as the "accept" option. Using dark patterns — design choices that steer users toward accepting — is specifically called out as unacceptable. The retailer was loading Google Analytics, Facebook Pixel, and multiple advertising cookies before any consent interaction.
What they should have done: Load only strictly necessary cookies by default. Present a consent banner with equally prominent "Accept" and "Reject" options. Allow users to choose specific cookie categories. Never use pre-ticked boxes or confusing navigation. Test the cookie flow from a visitor's perspective regularly.
Case 5: Professional services firm fined for failing to report a breach within 72 hours
What happened: A firm of chartered surveyors discovered that a former employee had been accessing their client database after leaving the company. The database contained personal and financial information for approximately 8,000 clients. The firm investigated internally, decided it was a "minor incident," and did not report it to the ICO. Three months later, some of the client data appeared on a public forum. The ICO only learned about the breach through a third-party report.
The fine: £85,000 for the failure to report, plus separate fines for inadequate data protection measures.
What they did wrong: Under the GDPR, organisations must report notifiable breaches to the ICO within 72 hours of becoming aware of them. The firm decided on its own that the breach was minor without conducting a proper risk assessment. They failed to notify affected individuals. They failed to report to the ICO. The ICO views failure to report as a serious aggravating factor, often resulting in higher fines than the original breach itself.
What they should have done: Report the breach to the ICO within 72 hours, even if the full extent is not yet known. Conduct a proper risk assessment. Revoke former employees' access credentials immediately when they leave. Notify affected individuals if the breach is likely to result in a high risk to their rights. Document every decision and the reasoning behind it.
The common thread
Every one of these cases shares something: the breach was preventable. As the NCSC's small business guide makes clear, none of these organisations needed cutting-edge security technology. They needed basic data hygiene: encrypting sensitive data, getting proper consent, securing databases, implementing compliant cookie banners, and reporting breaches on time.
The ICO does not expect small businesses to have enterprise-grade security operations centres. It expects reasonable, proportionate measures appropriate to the data you process. For most small businesses, that means keeping software updated, configuring systems correctly, collecting only the data you need, and having a plan for when something goes wrong.
A security scan is the fastest way to find out whether your website has the kind of vulnerabilities that lead to these enforcement actions. Run a free scan to check for exposed files, missing security headers, cookie compliance issues, and email security gaps.