You might have heard the whispers that the Information Commissioner’s Office (ICO) has gone soft lately. There’s this idea floating around that because they aren't slapping a million-pound fine on every small business that trips over a cookie banner, they’ve lost their teeth.
Honestly? That’s just not true.
If you look at the actual ICO enforcement news UK data from the last twelve months, something much more interesting—and potentially more dangerous for unprepared companies—is happening. We’re seeing a massive shift in how John Edwards and his team operate. They’ve moved away from the "spray and pray" approach of tiny fines for everyone. Instead, they are becoming surgical. They are hunting for "egregious" failures while actually trying to help the "good guys" innovate.
It’s a weird vibe, right? A regulator that wants to be your friend until they suddenly, very much, are not.
The 2025-2026 Numbers: Fewer Fines, Much Bigger Checks
Let’s get the math out of the way. It’s wild.
In the first half of 2025, the ICO only issued about six major fines. Compared to previous years, that looks like a vacation. But look at the price tag. Those six fines totaled over £5.6 million. To put that in perspective, the average fine jumped from a measly £150,000 in 2024 to nearly £1 million in 2025.
Basically, if they decide to fine you now, they really mean it.
The "Big Three" Warnings
If you want to know what the ICO actually cares about right now, you just have to look at where the big money went recently:
- Capita (£14 Million): This was the big one in October 2025. It wasn't just about the breach itself; it was about how slow they were to respond. The ICO is basically saying: "If you get hacked, you better move fast."
- Advanced Computer Software (£3.07 Million): This set a huge precedent. Advanced is a processor, not a controller. The ICO is now coming directly for the tech providers, not just the brands that hire them.
- 23andMe (£2.31 Million): They got hit because of "credential stuffing." The lesson? If you don't have Multi-Factor Authentication (MFA) on sensitive data in 2026, you're basically asking for a fine.
The Data Use and Access Act (DUAA) 2025 Changes Everything
The biggest piece of ICO enforcement news UK followers need to track is the Data Use and Access Act. It became law in June 2025, and it’s a total game-changer.
For a long time, the UK was just copying and pasting EU rules. Now, we’re doing our own thing. The DUAA gives the ICO new powers to basically force people into interviews. They can also demand that you pay for an "approved person" (a third-party expert) to come in and audit your systems. It’s like being forced to pay for your own private investigator to report your crimes back to the police.
But there’s a flip side. The DUAA is also relaxing some rules.
📖 Related: Was There an Earthquake in Turkey Today: What Most People Get Wrong
They are finally—finally—admitting that some cookies aren't that bad. Low-risk cookies for things like website analytics or basic functionality might not need that annoying pop-up anymore. The ICO is currently consulting on this, with a deadline of January 23, 2026. They want to reduce "consent fatigue." Everyone is tired of clicking "Reject All" fifty times a day, and the ICO actually seems to agree.
Why the Public Sector is Getting a "Soft" Pass
There has been some controversy about the ICO’s "public sector approach."
Basically, John Edwards decided that fining a struggling NHS trust or a local council millions of pounds is a bit silly. It just takes money away from schools and hospitals to put it into the Treasury. Instead, they are using "Reprimands."
Don't mistake a reprimand for a slap on the wrist.
When the ICO issues a reprimand, they publish it. It’s a public shaming. For a police force or a government department, that reputational hit can be worse than a fine. We saw this with South Wales Police recently. They had a massive backlog of Subject Access Requests (SARs). The ICO didn't fine them into bankruptcy; they issued an enforcement notice that legally forces them to clear the backlog by June 2026.
📖 Related: Plane Crash Today Utah: What Really Happened in the Wasatch Mountains
It’s about fixing the problem, not just taking the cash.
Cookies: The 1,000 Website Crackdown
If you run a website, you've probably noticed that "Reject All" buttons are everywhere now. That didn't happen by accident.
In late 2024 and throughout 2025, the ICO went after the UK’s top 1,000 websites. They sent letters, they threatened "Preliminary Enforcement Notices," and they basically bullied the internet into being more transparent.
The result? As of December 2025, over 95% of those top sites are now compliant.
But they aren't stopping there. The ICO is now using automated tools to crawl the web. They don't need a human to check your site anymore; an algorithm will find your non-compliant cookie banner and flag you for investigation.
What You Should Actually Do Now
If you’re worried about appearing in the next round of ICO enforcement news UK, you need to stop thinking about "compliance" as a checkbox and start thinking about it as "hygiene."
Fix your MFA. Honestly, the 23andMe fine proved that the ICO has zero patience for companies that don't use multi-factor authentication. If you handle sensitive data and you only require a password, you are legally "negligent" in their eyes.
👉 See also: Why the Fox News Special Report Charles Krauthammer Era Still Defines Political Television
Watch your processors. If you use a third-party software company to handle your data, you are still on the hook. The Advanced case showed the ICO will go after the tech company, but the Capita case showed they will also nail the controller for a slow response. You need to audit your vendors.
Clean up your SARs. Subject Access Requests are the "canary in the coal mine." If you’re slow at giving people their data, the ICO assumes your entire data structure is a mess.
The era of the "accidental" fine for a small mistake is mostly over. The era of massive, multi-million pound penalties for "systemic" failures is here. The ICO wants to help you grow, they want to support AI, and they want to reduce red tape—but only if you’ve got the basics right.
Keep a close eye on the DUAA updates throughout 2026. The rules on "legitimate interests" and scientific research are shifting, and those who move fast will have a massive competitive advantage.
Next Steps for Your Business:
Review your current incident response plan. Specifically, check if you can detect a breach and notify the ICO within the 72-hour window. If your internal reporting takes five days, you’re already looking at a potential "aggravated" fine structure.