What Does a Data Breach Actually Cost a Small UK Business?

When a small business owner thinks about the cost of a data breach, they typically think about the ICO fine. This is understandable — the Information Commissioner's Office is the regulator, fines make headlines, and the legal jeopardy feels most concrete.

But the fine, if it comes at all, is rarely the largest cost. This guide breaks down every realistic cost category from a data breach affecting a small UK organisation — so you can make an informed decision about what level of protection is proportionate.

The ICO Fine: What It Actually Looks Like for Small Organisations

The ICO has the power to issue fines of up to £17.5 million or 4% of global annual turnover for serious infringements of UK GDPR. For small organisations, the realistic range is considerably lower — but still significant.

The ICO's published approach to fines for small organisations indicates that fines for inadequate security measures causing a breach of personal data typically range from £8,000 to £175,000 depending on the nature and volume of data involved, the size of the organisation, and whether the organisation took reasonable steps to prevent the breach. "Reasonable steps" is explicitly tested — an organisation that had no security monitoring in place faces a different assessment than one that had appropriate controls and was breached despite them.

Crucially, the ICO now routinely considers whether an organisation had continuous monitoring and detection capability when assessing whether security measures were reasonable. Demonstrable monitoring — a Confidence Score report, a monthly analyst summary, an audit trail of detections and responses — is direct evidence in your favour.

Incident Response and Investigation Costs

When a breach is discovered, the first call is usually to a specialist incident response firm. They need to determine the scope of the breach: what systems were accessed, what data was taken, how the attacker got in, how long they were present, and whether they're still present. This forensic investigation takes time, requires specialist skills, and is billed accordingly.

For a small organisation with a straightforward breach, a competent incident response engagement typically costs between £15,000 and £40,000. More complex breaches — those involving persistent access, data exfiltration across multiple systems, or uncertainty about the full scope — cost significantly more.

Legal Costs

UK GDPR requires that personal data breaches meeting certain thresholds be reported to the ICO within 72 hours of discovery. Organisations that handle significant volumes of personal data — healthcare providers, legal and financial services, HR and payroll functions — almost always require legal advice on their notification obligations and the content of their ICO report.

Legal costs for breach response and ICO interaction typically range from £5,000 to £25,000 for small organisations, depending on complexity and whether the ICO opens a formal investigation.

Individual Notification Costs

Where a breach is likely to result in high risk to the rights and freedoms of the individuals whose data was compromised, those individuals must also be notified directly. For a GP surgery with 4,000 patients, or a law firm with several years of client records, this is a significant operational undertaking: drafting notification letters, posting or emailing them, managing inbound enquiries and complaints, and providing credit monitoring services if financial data was involved.

Individual notification costs for a small organisation can run from a few thousand pounds for a limited breach to over £50,000 if the affected population is large and the data is sensitive.

Business Interruption

The period between discovering a breach and returning to normal operations is rarely under two weeks for a small organisation, and often considerably longer. During this period:

• Staff cannot access compromised systems
• Client work is delayed or impossible
• Management time is consumed by the incident response process
• IT systems may be taken offline pending forensic examination
• Cloud services may be suspended if credentials are suspected compromised

For a 20-person professional services firm billing at typical UK rates, two weeks of substantially reduced productivity represents tens of thousands of pounds in lost revenue. For a smaller organisation, it may be existential.

Reputational Damage and Client Attrition

This is the hardest cost to quantify but often the most damaging in the long term. Clients and referrers discover that their supplier was breached. In professional services sectors — law, accountancy, financial advice, healthcare — trust is the core product. A breach creates doubt about whether that trust is warranted.

Client attrition following a breach is real and documented. Referral networks, once damaged, take years to rebuild. A firm that loses one or two significant clients as a direct consequence of a breach may be managing those consequences long after the ICO investigation is closed.

The Total Picture

Adding realistic figures across all categories for a typical small UK organisation experiencing a ransomware or data exfiltration incident:

• Incident response: £15,000 – £40,000
• Legal: £5,000 – £25,000
• ICO fine (if applicable): £8,000 – £175,000
• Individual notification: £3,000 – £50,000
• Business interruption (2–4 weeks): £20,000 – £80,000+
• Reputational damage: Unquantified, but material

A conservative mid-range estimate for a 30-person organisation experiencing a moderately serious breach is £70,000–£120,000 in direct costs, before any reputational consequences. The annual cost of SOC in a Box for an organisation of that size is £7,200.

This is not a scare tactic. It's an arithmetic exercise.