Compliance quick check
Your highest-priority regulatory obligations, ranked by consequences
Appoint and publish details of a data protection officer
Select a suitably qualified DPO, formally appoint them, publish their contact details (e.g., on your website or internal directory) and notify the ICO of the …
Agree a joint‑controller arrangement and disclose it to data subjects
Create a transparent written arrangement with the other controller(s) that allocates GDPR compliance responsibilities and, if appropriate, designates a contact point. Make the essence of …
Enter into and comply with a data processing contract with the controller
Sign a written contract with the controller that includes all required clauses, obtain written authorisation before using any sub‑processor, process data only on the controller’s …
Follow the ICO’s Direct Marketing Code when sending ads
Ensure that every direct marketing activity complies with the ICO’s Direct Marketing Code. This includes checking that you have the appropriate consent, providing clear opt‑out …
Implement measures to ensure and demonstrate GDPR compliance
Put in place appropriate technical and organisational measures to ensure your data processing complies with the Data Protection Act, and keep records that prove this …
Manage security risks and report serious incidents for digital services
Identify and assess security risks to the networks you depend on, implement proportionate security measures (aligned with state‑of‑the‑art practice) to prevent and minimise incidents, and, …
Obtain and maintain accreditation for data‑protection certification bodies
Apply for accreditation from the Commissioner or the UK national accreditation body, demonstrate independence and expertise, adopt the approved criteria, set up documented procedures for …
Obtain, record and manage valid consent for personal data
Set up a clear, separate consent request in plain language, keep records of each consent, inform users they can withdraw at any time, make withdrawal …
Provide clear information and handle data‑subject rights requests
Provide the required information in plain language, in writing or by electronic means, and respond to all data‑subject requests without undue delay and within the …
Cooperate with the ICO on request
Provide the information, access, or assistance the ICO asks for, as promptly as possible.
Showing top 10 of 4154 obligations. View all →
Threshold-triggered obligations
Penalties in your sector
Extracted from guidance relevant to all sectors businesses.
Maximum penalty (post-DUAA 2025)
£17.5 million or 4% of annual worldwide turnover, whichever is higher
Privacy and Electronic Communications Regulations →ICO PECR fines (2019-Sep 2025)
119 monetary penalty notices totalling approximately £10.5 million
Privacy and Electronic Communications Regulations →Maximum penalty
£17 million for the most serious breaches
Network and Information Systems (NIS) Regulations →Maximum criminal penalty (on indictment)
Up to 10 years imprisonment and/or unlimited fine
Export Control (Dual-Use Technology) →Maximum criminal penalty (summary)
Up to 12 months imprisonment and/or fine
Export Control (Dual-Use Technology) →Criminal penalty
Up to 10 years imprisonment and unlimited fine
UK Export Controls for Defence Products →Criminal penalty (US)
Up to USD $1 million per violation and 20 years imprisonment
ITAR Compliance for UK Companies →Previous maximum penalty
£500,000 (a 35-fold increase)
Privacy and Electronic Communications Regulations →Incorrect deduction penalty
HMRC can charge you for underpaid tax if you applied the wrong rate because you did not verify
CIS: verifying subcontractors with HMRC →