The information watchdog has issued only four civil penalties since the powers came into force in 2010.
The Information Commissioner's Office (ICO) received reports of more than 2,500 possible breaches of the Data Protection Act, with only 36 resulting in action and four in civil penalties.
A total of just £310,000 in fines was issued to organisations, with £100,000 being the biggest fine to date. The top fine for a single offence is £500,000.
The figures, released to encryption firm ViaSat under freedom of information laws, also show that the ICO took action against seven private sector organisations, penalising just one, but 29 in the public sector, penalising three.
Chris McIntosh, the firm's chief executive, said: "The ICO has a tremendous amount of leeway in the penalties it levies and so far doesn't seem to be applying this in either direction.
"The ICO has stated that the embarrassment and poor image of a fine will act as a deterrent and an incentive to improve an organisation's grasp of the Data Protection Act. However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops."