Estimate your data breach exposure in 60 seconds. Free calculator covering GDPR fines, remediation, notification and reputational costs. Tailored to UK SMEs.
It is an order-of-magnitude estimate, not a forecast. Real breach costs vary enormously by incident, response quality and luck. It is built to give a board a defensible range to reason with, and it is deliberately transparent about every assumption rather than offering false precision.
Because a single number would be dishonest. Two organisations of identical size can see breach costs an order of magnitude apart. The range reflects genuine uncertainty; the breakdown shows where the cost comes from.
The model is anchored to published UK and global data: the UK government's Cyber Security Breaches Survey (DSIT and the Home Office, 2025 and 2025/26 editions), the IBM Cost of a Data Breach Report 2025, ABI cyber claims data, and ICO guidance on penalties. Sources are listed in full under the result.
IBM's 2025 global average is 4.44 million US dollars, but that figure is dominated by large enterprises across 16 countries and reflects costs, such as customer churn and major legal action, that rarely scale to a UK SME. We use it as an upper reference point only, which is why our SME ranges sit well below it.
The DSIT Cyber Security Breaches Survey 2025 reported the average most-disruptive breach at around 1,600 pounds across all businesses (rising to about 3,550 pounds once zero-cost incidents are excluded), because it includes a long tail of minor and contained incidents. The 2025/26 survey moved to a median-based measure, where most businesses report a zero or low cost. This calculator models a serious personal-data breach, which is why its numbers are higher than those averages and lower than IBM's enterprise figures.
No. ICO penalties (up to 17.5 million pounds or 4% of worldwide turnover) are highly case-specific and far from automatic, so we flag them as separate possible exposure rather than baking a fabricated figure into the headline number.
No. Ransom and extortion costs are excluded by design. Paying is rarely advisable, is never guaranteed to recover data, and varies too widely to model responsibly.
Yes. Charities hold sensitive donor, beneficiary and staff data and face the same UK GDPR duties. The DSIT survey tracks charities separately and they are far from immune. Select Charity or non-profit and the model applies a slightly lower weighting, but the exposure is real.
Use it to frame a board or finance conversation: is our exposure proportionate to what we spend on preventing it? It is a starting artefact, not a risk assessment. If the range is large enough to matter, the sensible next step is to understand how exposed you actually are, which is what our governance and readiness tools are for.