UK GDPR (retained EU law)
What this means for your business
- Enforced by
- ICO
- Applies to
- United Kingdom
- On this page
- 366 compliance obligations, 32 practical guides across 5 topics
What you must do
366 compliance obligations under this legislation.
Appointments 14
Appoint a Data Protection Officer and ensure they fulfill core duties
Fine up to £17,500,000If your business (as a controller or processor) handles personal data, you must appoint a qualified Data Protection Officer (DPO). The DPO must inform and advise your staff and you on data‑protection rules, monitor compliance, support data protection impact assessments, liaise with the ICO and help you manage data‑processing risks.
Appoint a Data Protection Officer and publish their contact details
Fine up to £17,500,000If your business is a public authority, or its main activities involve large‑scale systematic monitoring of people or large‑scale processing of special‑category or criminal‑conviction data, you must name a Data Protection Officer (DPO). The DPO can be an employee or an external provider, must have expert data‑protection knowledge, and you must make their contact details publicly available and tell the ICO.
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000If your business is a public authority (except courts), or you regularly and systematically monitor individuals on a large scale, or you process large volumes of special‑category or criminal‑conviction data, you must have a Data Protection Officer. The DPO can be an employee or an external contractor, must have expert knowledge of data protection law, and you must publish their contact details and tell the ICO.
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000If your business processes personal data and any of the following apply – you’re a public authority (except courts), you regularly and systematically monitor individuals on a large scale, or you handle large‑scale special category data or criminal‑conviction data – you must name a Data Protection Officer. The DPO can be an employee or an external contractor, must have expert knowledge of data protection law, and you must publish their contact details and inform the ICO of the appointment.
Appoint a Data Protection Officer (DPO)
If your business is a public authority, or its main activities involve large‑scale regular monitoring of people, or large‑scale processing of special‑category or criminal‑conviction data, you must appoint a Data Protection Officer. The DPO can be an employee or a contracted specialist, must have expert data‑protection knowledge, and you must publish their contact details and tell the ICO.
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000If your business is a public authority, or you regularly and systematically monitor people on a large scale, or you process large volumes of special‑category or criminal‑conviction data, you must appoint a Data Protection Officer. The DPO can be an employee or an external provider, must have expert knowledge of data protection law, and you must make their contact details publicly available and tell the ICO.
Appoint a Data Protection Officer (DPO) when required
Fine up to £17,500,000If your business is a public authority (apart from courts), or its main work involves regularly and systematically monitoring people on a large scale, or it processes large amounts of special‑category or criminal‑conviction data, you must have a qualified Data Protection Officer. The DPO can be a staff member or an external contractor, and you must publish their contact details and tell the ICO about them.
Appoint a data protection officer where required
Fine up to £17,500,000If your business is a data controller or processor and you fall into any of these categories – you are a public authority, you carry out regular and systematic large‑scale monitoring of individuals, or you process large volumes of special‑category or criminal conviction data – you must appoint a data protection officer (DPO). The DPO can be an employee or an external contractor, but must be easy to reach from each site and you must publish their contact details and inform the ICO.
Appoint a Data Protection Officer where required
Fine up to £17,500,000If your business is a public authority (except courts), or you regularly and systematically monitor people on a large scale, or you process large amounts of special‑category or criminal‑record data, you must appoint a Data Protection Officer (DPO). The DPO can be an employee or a contracted service, must be easy to reach at each site, and you must publish their contact details and tell the ICO.
Appoint a Data Protection Officer where required
Fine up to £17,500,000If your business is a public authority (excluding courts), or you regularly and systematically monitor individuals on a large scale, or you process large amounts of special‑category or criminal‑conviction data, you must name a Data Protection Officer (DPO). The DPO can be a staff member or an external service, must have expert data‑protection knowledge, and you must publish their contact details and tell the ICO.
Appoint a Data Protection Officer where required
Fine up to £17,500,000If your business is a public authority (other than courts), or you regularly and systematically monitor individuals on a large scale, or you process large amounts of special‑category or criminal‑conviction data, you must appoint a Data Protection Officer (DPO). A single DPO can be shared across a group or several public bodies provided they are easily reachable at each site. You must also publish the DPO’s contact details and tell the ICO about the appointment.
Appoint a Data Protection Officer where required
Fine up to £17,500,000If your business processes personal data on a large scale – for example, you monitor people regularly, handle special category data or criminal conviction data, or you are a public authority – you must name a Data Protection Officer (DPO). The DPO must have expert knowledge of data‑protection law, be reachable at every site, and you must publish their contact details and tell the ICO.
Appoint and publish a Data Protection Officer (DPO)
Fine up to £17,500,000If your business processes personal data in certain ways – for example, you are a public authority, you carry out large‑scale systematic monitoring of people, or you handle large amounts of special‑category or criminal‑conviction data – you must appoint a Data Protection Officer. The DPO can be an employee or an external service provider, must have expert knowledge of data‑protection law, and you must publish their contact details and tell the ICO.
Appoint and publish a Data Protection Officer (DPO)
Unlimited fineIf your business processes personal data and any of the following apply – you’re a public authority (apart from courts), you carry out large‑scale systematic monitoring of individuals, or you handle large volumes of special‑category or criminal‑conviction data – you must name a qualified Data Protection Officer. The DPO must be easy to reach at each site, their contact details must be publicly visible (e.g., on your privacy notice) and you must inform the ICO of those details.
Risk assessment 13
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000If you plan to use new technology or large‑scale processing that could seriously affect people’s privacy, you must carry out a DPIA before you start. The assessment must describe the processing, assess whether it is necessary and proportionate, identify the risks, and set out measures to reduce those risks. Review the DPIA whenever the risks change.
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000If you plan to process personal data in a way that could seriously affect people’s privacy – for example using new technologies, large‑scale profiling, handling special‑category data, or monitoring public spaces – you must carry out a DPIA before you start. The assessment must be documented, involve your Data Protection Officer (if you have one), and be reviewed whenever the risk changes.
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000If you plan to process personal data in a way that could seriously affect people's rights – for example large‑scale profiling, handling special‑category data, or mass CCTV monitoring – you must carry out a DPIA before you start. The assessment must describe the processing, test whether it is necessary and proportionate, identify the risks and set out measures to address them.
Carry out data protection impact assessments (DPIAs)
Fine up to £17,500,000If you plan to process personal data in a way that could pose a high risk to people's rights – for example using new technology, automated profiling that has legal effects, large‑scale special‑category data, or systematic monitoring of public areas – you must assess the impact before you start. The assessment must describe the processing, why it’s needed, the risks involved and the safeguards you’ll put in place, and you should involve your Data Protection Officer and, where appropriate, consult data subjects.
Carry out Data Protection Impact Assessments (DPIAs)
Fine up to £17,500,000If your business plans to process personal data in a way that is likely to create a high risk to people's privacy – for example large‑scale profiling, handling special‑category data, or mass CCTV monitoring – you must assess the impact on data protection before you start. The assessment must explain what you’ll do, why it’s necessary, the risks involved and the safeguards you’ll put in place, and you should involve your Data Protection Officer where you have one.
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000If you plan to use new technology or carry out large‑scale/automated processing that could pose a high risk to individuals’ privacy, you must complete a Data Protection Impact Assessment (DPIA) before you start. The DPIA must describe the processing, show it is necessary and proportionate, identify the risks, and set out safeguards. You should involve your DPO, consult data subjects where appropriate, and review the DPIA whenever the risks change.
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000If you plan to use new technology or process personal data in ways that could seriously affect people’s rights – for example large‑scale profiling, handling special‑category data, or monitoring public spaces with CCTV – you must carry out a Data Protection Impact Assessment (DPIA) before you start. The DPIA must describe the processing, check it’s necessary and proportionate, identify the risks, and set out safeguards, with input from your Data Protection Officer where you have one.
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000If you plan to use new technology or carry out large‑scale or sensitive data processing that could significantly affect individuals’ privacy, you must assess the impact on data protection before you start. The assessment must involve your DPO, examine necessity and proportionality, identify risks and set out safeguards, and be kept up‑to‑date and reviewed whenever the risk changes.
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000If you are planning a new way of processing personal data that could seriously affect people's privacy – for example automated profiling that makes legal decisions, processing large amounts of special‑category data, or large‑scale CCTV monitoring – you must assess the impact on data protection before you start. The assessment must involve your DPO (if you have one), identify the risks and record the safeguards you will put in place, and be reviewed whenever the risk changes.
Carry out Data Protection Impact Assessments for high‑risk processing
Fine up to £17,500,000If you plan to use new technology or process large amounts of sensitive or special‑category personal data in a way that could harm individuals' rights, you must assess the privacy impact before you start. The assessment must describe the processing, test whether it is necessary and proportionate, identify any risks and set out measures to reduce them, and it must be updated whenever the risk profile changes.
Carry out Data Protection Impact Assessments for high‑risk processing
Fine up to £17,500,000If your business plans to use new technologies or processes that could seriously affect people's privacy – for example automated profiling that makes legal decisions, large‑scale handling of special‑category data, or mass surveillance of public areas – you must carry out a Data Protection Impact Assessment (DPIA) before you start. The assessment must describe the processing, assess its necessity and proportionality, identify risks to individuals and set out measures to reduce those risks. Keep the DPIA up‑to‑date whenever the risk level changes.
Conduct a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000If your business is planning to process personal data in a way that could pose a high risk to individuals – for example using new technologies, large‑scale profiling, processing special categories of data, or systematic monitoring of public areas – you must carry out a Data Protection Impact Assessment before you start. The DPIA must describe the processing, assess necessity and proportionality, identify risks, and set out measures to mitigate those risks, with input from your Data Protection Officer and, where appropriate, the data subjects themselves.
Conduct data protection impact assessments (DPIAs)
Fine up to £17,500,000If you plan to use new technology or carry out large‑scale, sensitive or systematic processing that could significantly affect people's privacy, you must assess the impact on data protection before you start. Involve your Data Protection Officer (if you have one), describe the processing, test its necessity and proportionality, identify risks and put in safeguards. Keep the DPIA record and review it whenever the risk profile changes.
Management duties 267
Accredit and run a certified data‑protection compliance body
If you run a business that provides data‑protection certification, you must first be accredited by the Commissioner or the UK national accreditation body. Once accredited you need to keep clear, independent procedures for issuing, reviewing and cancelling certificates, handle complaints, and show you have no conflicts of interest. Your accreditation lasts five years and must be renewed on the same conditions. Failure to meet these requirements can lead to a loss of accreditation and potential regulatory enforcement.
Adopt and follow an approved data‑protection code of conduct
Fine up to £17,500,000If your business processes personal data, you must use any industry‑specific code of conduct that the ICO has approved. This means putting the code’s rules into your policies, training staff and allowing the ICO to monitor your compliance.
Agree a joint‑controller arrangement and disclose it to data subjects
Fine up to £17,500,000If you and another organisation decide together why and how personal data will be processed, you are both joint controllers. You must put a clear written agreement in place that spells out each party’s responsibilities for GDPR compliance, especially for handling data‑subject rights, and you must share the key points of that agreement with the people whose data you hold. Data subjects can still contact each controller separately to exercise their rights.
Agree and disclose joint controller responsibilities
Fine up to £17,500,000If your business works with another organisation and together you decide why and how personal data is processed, you become joint controllers. You must put in place a clear, written arrangement that splits up each party’s GDPR duties (such as handling data‑subject rights and providing the information required by Articles 13 and 14) and make the core of that arrangement available to the people whose data you handle. The arrangement can also name a single contact point for data subjects.
Agree and document joint controller responsibilities
Fine up to £17,500,000If you and another organisation together decide why and how personal data will be processed, you are joint controllers. You must create a clear, transparent arrangement that sets out each party’s duties for meeting GDPR requirements – such as handling data‑subject rights and providing the information required by Articles 13 and 14 – and share the essential terms of that arrangement with the data subjects. The arrangement can also name a contact point for data subjects.
Agree and document joint controller responsibilities
Fine up to £17,500,000If your business shares control of personal data with another organisation, you must work together to decide who does what under the GDPR. You need a written agreement that sets out each party’s duties – especially how you’ll handle data‑subject rights and provide the information required by Articles 13 and 14 – and you must make this agreement clear to the people whose data you process, possibly by naming a single contact point.
Agree and document responsibilities as joint controllers
Fine up to £17,500,000If your business shares responsibility for deciding why and how personal data is processed with another organisation, you must work out who does what for GDPR compliance. You need a written arrangement that sets out each party’s duties – especially around data‑subject rights and the information you must give – and you must share the essential details of that arrangement with the data subjects.
Agree and document responsibilities with joint controllers
Fine up to £17,500,000If your business shares control of personal data with another organisation, you must put a clear written agreement in place that spells out who does what to meet GDPR requirements. The agreement has to be transparent, include a contact point for data subjects, and you must give data subjects easy access to the key terms of the arrangement.
Agree and document responsibilities with joint controllers
If your business makes decisions together with another organisation about why and how personal data is processed, you must work out who does what under the GDPR. You need a clear written agreement that sets out each party’s duties – especially around data‑subject rights and the information you must give – and you should let people know the basics of that arrangement, possibly via a single contact point.
Agree and share responsibilities as joint data controllers
Fine up to £17,500,000If you and another organisation decide together how and why personal data is used, you must create a clear agreement that sets out each party’s duties – especially how you’ll handle data‑subject rights and provide the information they’re owed. The agreement (or a summary of it) must be shared with the people whose data you process, and you may need to name a contact point for them.
Agree and share responsibilities with joint controllers
Fine up to £17,500,000If your business works with one or more other organisations that together decide why and how personal data is processed, you must create a clear agreement that spells out each party’s data‑protection duties. The agreement (or its key points) must be shown to the people whose data you hold, and each controller must let data subjects exercise their rights directly against you.
Agree joint‑controller responsibilities and inform data subjects
Fine up to £17,500,000If your business shares control of personal data with another organisation, you must put a clear written agreement in place that sets out each party’s duties – especially around handling data‑subject rights and providing the information required by GDPR. You also need to make the key points of that agreement available to the people whose data you process.
Agree on and share GDPR responsibilities with joint controllers
Fine up to £17,500,000If your business and another organisation together decide why and how personal data is processed, you must put a clear agreement in place that splits up each party’s GDPR duties (like handling data‑subject rights and providing information). The agreement has to be transparent – a simple summary must be shown to data subjects – and you may need to name a contact point for them.
Agree responsibilities with joint controllers and inform data subjects
If your business shares control of personal data with another organisation, you must put a clear agreement in place that says who does what to meet GDPR. The agreement must cover things like handling data‑subject rights and providing the information required by Articles 13 and 14, and you must make the key points of that agreement available to the people whose data you process.
Allow and respect data subjects’ right to object
Fine up to £17,500,000You must tell anyone whose personal data you hold that they can object to you using their data at any time, especially for marketing. When they object you must stop processing their data unless you can prove a compelling legal reason. You also need to provide a clear, separate way for them to object, including an online option where appropriate.
Allow data subjects to object and stop processing on request
Fine up to £17,500,000If someone asks you to stop using their personal data – for example because they don’t want you to profile them or use their details for direct marketing – you must halt that processing unless you can show a compelling legitimate reason. You also have to tell people, at the first time you contact them, that they have this right and how to use it.
Apply data protection by design and by default
Fine up to £17,500,000When your business processes personal data you must build privacy safeguards into the way you collect, store and use that data. This means choosing technical and organisational measures (like pseudonymisation and data‑minimisation) at the design stage and keeping them in place during processing, and ensuring that, by default, only the data necessary for each purpose is handled. If you provide online services likely used by children, you must also consider their higher protection needs.
Avoid fully automated decisions using special‑category data
Fine up to £17,500,000If your business makes an important decision that relies on special‑category personal data (e.g., health or ethnicity information) you must not let a computer make that decision on its own unless you have the data subject’s explicit consent, it’s strictly needed for a contract or legal requirement (and the relevant exemption applies), or the processing is based on a lawful basis under Article 6(1)(e) or (a). In practice you need to check consent and legal basis and involve a human when required.
Avoid sole automated decisions using special‑category data
Fine up to £17,500,000If your business uses a computer or algorithm to make an important decision that relies on sensitive personal data (such as health, ethnicity or biometric data), you must not let the system decide on its own unless you have the data‑subject’s explicit consent or a clear legal/contractual reason that meets the GDPR exceptions. Put a human in the loop and keep records showing why the decision was allowed.
Comply with data processing contract and data protection duties
Fine up to £17,500,000If your business processes personal data for another organisation (the controller), you must have a written contract that sets out how you will protect that data. The contract must require you to follow the controller’s instructions, keep the data secure, help the controller meet data‑subject requests, delete or return the data when the service ends, and allow the controller to audit your compliance. Breaches can attract very large fines.
Comply with data‑processor responsibilities under UK GDPR
Fine up to £17,500,000If your business processes personal data for someone else (the controller), you must have a written contract that sets out how the data will be handled, only act on the controller’s instructions, keep the data secure, and not use sub‑processors without the controller’s approval. You also have to help the controller meet data‑subject rights, delete or return data when the contract ends, and be ready to show proof of compliance. Breaches can attract fines of up to £17.5 million.
Comply with data‑protection principles and demonstrate accountability
Fine up to £17,500,000If your business processes personal data, you must handle it lawfully, fairly and transparently, collect it only for clear purposes, keep only what you need, ensure it is accurate, retain it no longer than necessary and protect it against loss or unauthorised access. You also need to be able to show the Information Commissioner’s Office (ICO) that you are meeting all of these requirements.
Comply with GDPR data protection principles
Fine up to £17,500,000You must handle personal data in a way that is lawful, only for the specific purpose it was collected, kept no longer than necessary, accurate, and securely protected. You also need to be able to prove you are doing all this. In practice this means having clear policies, records and regular checks on how you store and use personal data.
Comply with UK GDPR processor obligations
Unlimited fineIf your business processes personal data for someone else (the controller), you must only work with controllers who can prove they have appropriate security and organisational safeguards. You need a written contract that sets out how you’ll handle the data, you may only use sub‑processors with the controller’s written consent, and you must keep the data secure, confidential and return or delete it when the contract ends.
Consult ICO before carrying out high‑risk data processing
Fine up to £17,500,000If a Data Protection Impact Assessment shows that your proposed use of personal data would pose a high risk and you have not put enough safeguards in place, you must ask the Information Commissioner’s Office (ICO) for advice before you start that processing. You need to send the ICO details of who is responsible, what you plan to do, the safeguards you will use, your DPO contact and the DPIA itself. The ICO will reply within up to eight weeks (may be extended).
Consult ICO before high‑risk data processing
Fine up to £17,500,000If your data protection impact assessment shows that a planned activity poses a high risk to individuals and you haven’t put enough safeguards in place, you must ask the ICO for advice before you start that processing. The ICO will reply in up to eight weeks (extendable by six weeks) with written guidance or enforcement action.
Consult ICO before high‑risk data processing
If your data protection impact assessment shows that the processing you want to carry out is likely to pose a high risk and you have not put sufficient safeguards in place, you must ask the ICO for advice before you start. You need to send the ICO details of the processing, your DPIA and any measures you plan to use, and wait for its written response.
Consult ICO before high‑risk processing
Fine up to £17,500,000If a Data Protection Impact Assessment shows your proposed processing is likely to cause a high risk to individuals, you must ask the ICO for advice before you start. You must send the ICO detailed information about the processing and wait for its written advice, which may take up to eight weeks (extendable by six weeks).
Consult ICO before high‑risk processing
Fine up to £17,500,000If a data protection impact assessment shows that a proposed activity is likely to pose a high risk to individuals and you have not put sufficient measures in place, you must ask the ICO for advice before you start that processing. The ICO will reply in writing within up to eight weeks (which can be extended) and may give you further instructions.
Consult ICO before high‑risk processing
Fine up to £17,500,000If your Data Protection Impact Assessment shows that a planned processing activity could pose a high risk to people’s rights and you haven’t put enough safeguards in place, you must ask the ICO for advice before you start that processing. You need to send the ICO details of who is responsible, what you intend to do, the safeguards you’ll use, your DPO’s contact details and the DPIA itself. The ICO will reply in writing within up to eight weeks (longer if the case is complex).
Consult ICO before high‑risk processing and supply required information
Fine up to £17,500,000If a Data Protection Impact Assessment shows that a proposed data‑processing activity carries a high risk and you have not yet put mitigating measures in place, you must ask the ICO for advice before you start that processing. You need to send the ICO details such as who is responsible, the purpose and method of processing, the safeguards you plan, your DPO’s contact details, the DPIA itself and any other information they request.
Consult the ICO before carrying out high‑risk processing
Fine up to £17,500,000If a data protection impact assessment shows that your planned processing is likely to pose a high risk to individuals and you haven’t put enough safeguards in place, you must ask the ICO for written advice before you start. You need to send the ICO details of the processing, responsibilities, safeguards, DPO contact, the DPIA and any other information they ask for, and wait for their response.
Consult the ICO before high‑risk data processing
Fine up to £17,500,000If a Data Protection Impact Assessment shows that a new way of using personal data is likely to carry a high risk, you must ask the Information Commissioner’s Office for advice before you start. You need to send the ICO details such as who is responsible, what you plan to do, the safeguards you’ll use and the DPIA itself. The ICO will reply within up to eight weeks (extendable to 14 weeks).
Consult the ICO before high‑risk data processing
Fine up to £17,500,000If your data protection impact assessment (DPIA) shows that a proposed processing activity is likely to be high risk and you haven’t put sufficient safeguards in place, you must ask the ICO (the Commissioner) for advice before you start that processing. You need to send the ICO a detailed briefing and wait for its written advice (normally within 8 weeks, extendable to 14 weeks). This ensures you don’t breach the UK GDPR by proceeding with a risky activity without regulator input.
Consult the ICO before high‑risk data processing
Fine up to £17,500,000If your data protection impact assessment shows that a planned activity is likely to pose a high risk to individuals and you haven’t put enough safeguards in place, you must ask the ICO for advice before you go ahead. You need to send them detailed information about the processing and wait for their written response.
Consult the ICO before high‑risk data processing
Fine up to £17,500,000If a data protection impact assessment (DPIA) shows that a proposed data‑processing activity is high risk, you must ask the Information Commissioner’s Office (ICO) for written advice before you start. You need to send the ICO details of the processing, the roles involved, the safeguards you plan, your DPO’s contact details and the DPIA itself, then wait for their response.
Consult the ICO before high‑risk data processing
Fine up to £17,500,000If a Data Protection Impact Assessment shows that the way you want to use personal data is likely to pose a high risk, you must ask the Information Commissioner’s Office (ICO) for advice before you start. You need to send the ICO details about who is responsible, what you plan to do, the safeguards you’ll use, your DPO’s contact details, the DPIA itself and any other information they request.
Contract with controller and control sub‑processors
Fine up to £17,500,000If your business processes personal data for another organisation, you must have a written contract that sets out what data will be processed, why, how long and the security measures required. You also need the controller’s written permission before you use any subcontractors and must bind those subcontractors to the same data‑protection standards. You must be able to show the contract and related records to the controller or an auditor.
Cooperate with the ICO on request
Fine up to £17,500,000If the Information Commissioner asks you for help – for example, to provide information, give access to records or answer questions – you must comply. This applies to any data controller or processor (and their reps) handling personal data in the UK. Failing to cooperate can lead to a substantial fine.
Cooperate with the ICO when requested
Fine up to £17,500,000If your business is a data controller or processor, you must help the Information Commissioner’s Office (ICO) whenever they ask for assistance. This means replying promptly to any request for information, access to records or other support needed for the ICO to carry out its data‑protection duties.
Cooperate with the ICO when requested
Fine up to £17,500,000If the Information Commissioner asks you for help, you must provide the information, access to records and any other assistance they need to carry out their data‑protection duties. This duty applies to any organisation that decides how personal data is processed (controller) or carries out processing on someone else’s behalf (processor). Failing to cooperate can lead to a fine.
Cooperate with the ICO when requested
Fine up to £17,500,000If you are a data controller or processor, you must help the Information Commissioner’s Office (ICO) when it asks for information, documents or access to your systems. This means replying promptly to any request and providing whatever is needed for the ICO to carry out its investigations. Failing to do so can lead to substantial fines.
Cooperate with the ICO when requested
Fine up to £17,500,000If the Information Commissioner’s Office asks you for information, access to records, or assistance about your data processing, you must provide it. This duty applies to any organisation that acts as a data controller or processor (or their representatives). Failure to cooperate can lead to ICO enforcement action.
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000If a customer or employee asks you to fix wrong or missing personal information you hold about them, you must do it promptly. Your business must update the data and, where needed, add any extra details they provide, without unnecessary delay.
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000If a person asks you to fix their personal information, you must update it promptly – without unnecessary delay. This includes correcting errors and adding missing details, even if you need the person to provide extra information. Your business must have a process to handle these requests quickly and keep a record of what was changed.
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000If someone asks you to fix wrong or missing information you hold about them, you must make the correction quickly and without unnecessary delay. You also need to fill in any gaps in the data, for example by asking the person for extra details. This applies to any personal data you control as a data controller.
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000If a person asks you to fix their personal data, you must promptly correct any inaccuracies and fill in any missing information, even by adding a supplementary statement if needed. This duty applies to any controller that holds personal data about individuals.
Correct inaccurate personal data on request
Fine up to £17,500,000When an individual tells you their personal details are wrong, you must fix the error as quickly as possible. If any of their data is incomplete, you also have to complete it – for example by asking them for the missing information – while still respecting why you are processing the data.
Correct inaccurate personal data on request
Fine up to £17,500,000When someone asks you to fix their personal data, you must do it quickly. This means you must correct any errors and fill in any gaps, using any extra information the person supplies. Failure to act promptly can lead to a hefty ICO fine.
Correct personal data when requested
Fine up to £17,500,000If a customer, employee or any other individual tells you that the personal data you hold about them is wrong or incomplete, you must fix the error and fill in any gaps promptly. You may need to ask them for additional information to complete the record, and you must do all of this without undue delay.
Do not rely only on automated decisions using special‑category data
Fine up to £17,500,000If your business makes a significant decision that involves special categories of personal data (e.g., health, race, religion) you must not let a computer do it all by itself. You can only use fully automated processing if you have the person's explicit consent, or if the decision is strictly needed for a contract or a legal requirement and meets the specific public‑interest test. In all other cases a human must be involved in the decision‑making process.
Do not rely solely on automated decisions for special category data
Fine up to £17,500,000If your business makes a significant decision about someone using sensitive personal data (e.g., health, ethnicity, religion), you cannot let a computer make that decision on its own unless you have the person’s explicit consent, the decision is needed for a contract or a legal requirement and falls within a specific exemption, or the processing is based on another lawful basis. In practice you must put a human in the loop or meet one of these conditions before using automated processing.
Do not rely solely on automated decisions for special‑category data
Fine up to £17,500,000If your business makes a significant decision that uses sensitive personal data (e.g., health, ethnicity, biometric data), you must not let a computer make that decision on its own unless you have the data subject’s explicit consent or a clear legal basis. You need to ensure a human is involved or the required conditions are met, and keep records to prove it.
Do not rely solely on automated decisions using special‑category data
Fine up to £17,500,000If your business makes an important decision that uses sensitive personal data (for example health, ethnicity, religion, etc.), you cannot let a computer make that decision on its own. You must either have the person’s explicit consent, or the decision must be needed for a contract or required by law and meet the specific legal test. Otherwise a human must be involved in the decision‑making process.
Ensure Data Protection Officer carries out data‑protection duties
Fine up to £17,500,000If your organisation has a Data Protection Officer (DPO), you must make sure they carry out the core tasks set out in the UK GDPR – informing and advising staff about data‑protection law, monitoring compliance, helping with Data Protection Impact Assessments, cooperating with the ICO and acting as the ICO’s contact point. In practice this means giving the DPO the resources, authority and information needed to perform these roles.
Ensure data protection officer carries out required tasks
Fine up to £17,500,000If your organisation must have a Data Protection Officer (DPO) under UK GDPR, you need to make sure the DPO informs staff of data‑protection duties, monitors compliance, advises on impact assessments, works with the ICO and acts as the ICO’s contact point. In practice this means giving the DPO the resources and authority to carry out these activities and keeping records that they have been done.
Ensure DPO carries out advisory, monitoring and ICO liaison duties
Fine up to £17,500,000Your data protection officer must keep you and your staff informed about data‑protection law, check that your handling of personal data meets the UK GDPR, help with data‑protection impact assessments, work with the ICO and act as the ICO’s main contact. You need to make sure these tasks are performed and can be shown to have been done.
Ensure GDPR‑compliant processing of personal data
Fine up to £17,500,000If your business decides how personal data is used (you are the data controller), you must handle that data lawfully, fairly and transparently, only for the purposes you originally said, keep only what you need, keep it accurate and up to date, store it no longer than necessary, and protect it against loss or unauthorised access. You also need to be able to show how you meet all these rules.
Ensure GDPR‑compliant processing of personal data
Fine up to £17,500,000You must handle any personal data you collect or use in a way that is lawful, fair and transparent, only for the specific purpose you said it would be used, and no more data than is needed. Keep the data accurate, store it only as long as required, protect it with appropriate security, and be able to prove you are doing all of this.
Ensure independent, adequately resourced DPO reporting to senior management
Fine up to £17,500,000If your organisation is a data controller or processor you must give your Data Protection Officer the time, resources and authority to do the job. The DPO must be involved early in any data‑protection matters, be free from instructions or dismissal, report directly to the most senior level, and be available for data subjects to contact. You also need to keep the DPO’s work confidential and avoid any conflict of interest.
Ensure international data transfers comply with UK GDPR
Fine up to £17,500,000You may only send personal data to a country outside the UK or to an international organisation if the transfer is allowed under UK law – either because the UK has an adequacy decision, you have put appropriate safeguards in place, or you rely on a specific exemption. Before any cross‑border transfer you must check which of these conditions applies and make sure no UK‑law restriction is breached.
Ensure international data transfers comply with UK GDPR
Fine up to £17,500,000If your business moves personal data outside the UK – for example to a cloud provider in the US or a partner overseas – you must only do so when the transfer is approved, has appropriate safeguards, or falls under a specific exemption, and it must not breach any UK‑GDPR restrictions. In practice this means checking the legal basis before any cross‑border transfer and keeping records to prove it.
Ensure lawful international transfers of personal data
Fine up to £17,500,000If your business sends personal data outside the UK, you can only do so when the transfer is covered by an approved adequacy decision, has appropriate safeguards (e.g., Standard Contractual Clauses or Binding Corporate Rules), or relies on a specific derogation. You must also check that the transfer does not breach any restrictions under the GDPR.
Ensure lawful international transfers of personal data
Fine up to £17,500,000If your business (as a data controller or processor) wants to send personal data outside the UK, you must only do so when the transfer is covered by an adequacy decision, appropriate safeguards (like standard contractual clauses), or a specific derogation, and it does not breach any UK‑GDPR restrictions. You also need to keep evidence that the transfer complies with the GDPR.
Ensure lawful international transfers of personal data
Fine up to £17,500,000If your business sends personal data outside the UK or to an international body, you must make sure the transfer is allowed. This means using an EU‑UK adequacy decision, putting in place appropriate safeguards (e.g., standard contractual clauses) or relying on a specific derogation, and complying with all other GDPR rules. You need to check this before each transfer and keep proof that the conditions are met.
Ensure lawful international transfers of personal data
Fine up to £17,500,000If your business sends personal data outside the UK, you may only do so when there is an adequacy decision, appropriate safeguards (such as standard contractual clauses or binding corporate rules), or a specific derogation, and the transfer does not breach any UK GDPR restrictions. You must check these conditions and keep evidence before any such transfer.
Ensure lawful international transfers of personal data
Fine up to £17,500,000If your business sends personal data outside the UK, you may only do so when the transfer meets an approved condition – such as an adequacy decision, appropriate safeguards (e.g., standard contractual clauses), or a specific derogation. You must also make sure the transfer complies with the rest of the UK GDPR. In practice this means checking each cross‑border transfer and keeping evidence of the legal basis you relied on.
Ensure lawful transfer of personal data abroad
Fine up to £17,500,000You can only send personal data to another country or an international organisation if the transfer is covered by an approved adequacy decision, has appropriate safeguards (like standard contractual clauses), or falls under a specific exemption, and you must follow all other GDPR rules. This means before any cross‑border data move you need to verify the legal basis and keep evidence of compliance.
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000If your business sends personal data to a country outside the UK or to an international body, you must only do so when you have a valid legal basis – such as an adequacy decision, appropriate safeguards (e.g., Standard Contractual Clauses or Binding Corporate Rules), or a specific derogation. You also must not rely on a safeguard or derogation if it would breach any restriction set out in the regulation.
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000You must only move personal data outside the UK if the transfer is approved, covered by appropriate safeguards (like standard contractual clauses or binding corporate rules), or relies on a specific exemption. You also need to check that the transfer does not breach any restrictions set out in the regulation. In practice this means checking and documenting the legal basis for every international data transfer before it happens.
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000When you want to send personal data outside the UK, you must make sure the transfer meets one of the GDPR conditions – an adequacy decision, appropriate safeguards (like standard contractual clauses), or a specific derogation – and does not breach any other GDPR restrictions. You need to check this before each transfer and keep evidence of how you complied.
Ensure lawful transfers of personal data overseas
Fine up to £17,500,000If your business (as a data controller or processor) wants to send personal data to another country or an international body, you must only do so when the transfer is approved, protected by appropriate safeguards, or covered by a specific derogation – and you must check it doesn’t breach any UK‑specific restrictions. In practice this means you need to assess every transfer and keep proof that the required condition has been met.
Ensure lawful use of automated decisions with special personal data
Fine up to £17,500,000If your business makes an important decision that uses special categories of personal data (e.g., health, ethnicity) and that decision is driven by a computer or algorithm, you must not let the system decide on its own unless you have the data subject’s explicit consent, the decision is required for a contract or by law and meets the GDPR exception, or you have a specific legal basis under Article 6(1)(ea). Keep a human involved and retain proof of the lawful basis.
Ensure the Data Protection Officer is independent and properly supported
Fine up to £17,500,000If your business must have a Data Protection Officer (DPO), you must let them take part in every data‑protection decision, give them the staff, budget and data access they need, and keep them independent – they must not be instructed or dismissed for doing their job. The DPO must report straight to the most senior level of management and be able to handle data‑subject enquiries confidentially.
Ensure your Data Protection Officer carries out core GDPR duties
Fine up to £17,500,000If your organisation has appointed a Data Protection Officer (DPO), you must make sure they advise you and your staff on data‑protection law, monitor compliance, help with impact assessments, cooperate with the ICO and act as the ICO’s point of contact. In practice this means setting up regular advice, training, audits and keeping records of the DPO’s work.
Ensure your data protection officer carries out GDPR duties
Fine up to £17,500,000If your business must have a Data Protection Officer (DPO), you need to make sure the DPO carries out a set of core tasks: advising you and staff on data‑protection law, monitoring compliance and training, helping with Data Protection Impact Assessments, cooperating with the ICO and acting as the ICO’s contact point. In practice this means giving the DPO the authority, resources and time to do those jobs and keeping records of what they have done.
Ensure your Data Protection Officer carries out GDPR duties
Fine up to £17,500,000Your business must have a Data Protection Officer (or an equivalent role) who advises you and your staff on data‑protection law, monitors compliance, helps with impact assessments, works with the ICO and acts as the main contact for data‑protection queries. In practice you need to give the DPO the authority, resources and time to do all of these tasks.
Ensure your Data Protection Officer carries out key data protection duties
Fine up to £17,500,000If your business must have a Data Protection Officer (DPO), you need to make sure the DPO is actually doing the work set out in the GDPR – advising managers and staff, monitoring your data‑protection compliance, helping with impact assessments, cooperating with the ICO and acting as its point of contact. In practice this means giving the DPO the authority, resources and time to carry out these tasks on an ongoing basis.
Ensure your Data Protection Officer carries out key DPO duties
Fine up to £17,500,000If your business appoints a Data Protection Officer (DPO), you must make sure they carry out a set of core tasks. This includes advising you and your staff on data‑protection law, monitoring compliance, helping with data‑impact assessments, training staff and liaising with the ICO. Failure to have the DPO perform these duties can lead to regulator action and heavy fines.
Ensure your Data Protection Officer carries out required duties
Fine up to £17,500,000If your business must have a Data Protection Officer (DPO), you need to make sure the DPO carries out key tasks – advising staff on data‑protection rules, monitoring compliance, helping with impact assessments, dealing with the ICO and acting as the ICO’s contact point. In practice this means putting processes in place so the DPO can perform these duties continuously.
Ensure your Data Protection Officer carries out statutory duties
Fine up to £17,500,000If you have appointed a Data Protection Officer (DPO), you must make sure they perform key tasks – advising staff on data protection, monitoring compliance, helping with impact assessments, cooperating with the ICO and acting as the point of contact. Your business must give the DPO the authority, resources and support to do this on an ongoing basis.
Ensure your Data Protection Officer fulfills GDPR duties
If your business is a data controller or processor that must have a Data Protection Officer (DPO), you need to make sure the DPO carries out their key tasks – informing staff of data‑protection responsibilities, monitoring compliance, advising on impact assessments, cooperating with the ICO and acting as the ICO’s contact point. In practice this means giving the DPO the authority, time and resources to do this work and keeping records of what they do.
Ensure your Data Protection Officer performs prescribed GDPR tasks
Fine up to £17,500,000If your business has appointed a Data Protection Officer (DPO), you must make sure they advise you and staff on data‑protection law, monitor compliance, help with data‑protection impact assessments, cooperate with the ICO and act as the ICO’s contact point. In practice this means giving the DPO authority, resources and support, and keeping records of the work they do.
Enter into a compliant data‑processing contract and meet processor duties
Fine up to £17,500,000If your business processes personal data for someone else (the controller), you must have a written contract that sets out exactly what you can do, how you’ll keep the data safe and confidential, and how you’ll help the controller with data‑subject requests and breach reporting. You also need the controller’s permission before using any sub‑processor and must delete or return the data when the contract ends, while being able to show proof of compliance.
Enter into a GDPR processor contract and follow its duties
If your business processes personal data for another organisation, you must have a written contract that sets out exactly what you can do and how you must protect that data. You may only act on the controller’s documented instructions, keep staff under confidentiality, implement appropriate security, help the controller with data‑subject requests, and delete or return the data when the service ends. You also need the controller’s written permission before you use any sub‑processors.
Enter into and comply with a data processing agreement with the controller
Fine up to £17,500,000If your business processes personal data for someone else (the controller), you must have a written contract that sets out the purpose, data types, security measures and your duties. You also need written authorisation before using any sub‑processors, keep data confidential, help the controller answer data‑subject requests, delete or return the data when the work ends, and be ready for audits.
Enter into and comply with a data processing contract with the controller
Fine up to £17,500,000If your company processes personal data for someone else, you must have a written contract that sets out exactly how the data will be handled. The contract must cover things like only acting on the controller’s instructions, keeping data confidential, using approved sub‑processors, helping with data‑subject requests, and returning or deleting the data when the work ends.
Enter into and comply with a data‑processing contract with the controller
Fine up to £17,500,000If your business processes personal data for another organisation (the controller), you must have a written contract that sets out exactly how the data may be handled. The agreement must cover following the controller’s instructions, security and confidentiality measures, getting written permission before using any sub‑processor, helping the controller meet data‑subject rights, and deleting or returning the data when the work ends. You need to keep the contract and supporting records ready for the ICO to check.
Enter into and comply with a written data‑processing contract
If your business processes personal data for another organisation (the controller), you must have a written contract that sets out exactly what you can do, how you must protect the data, and what you must do when the work ends. The contract also requires you to get the controller’s permission before using any sub‑processors and to help the controller meet its own data‑protection duties.
Follow GDPR data protection principles and demonstrate compliance
Whenever you handle personal data, you must do it lawfully, fairly and transparently, only for clear purposes, keep only what you need, keep it accurate and up‑to‑date, store it no longer than necessary and protect it securely. You also need to be able to show you are meeting all these rules.
Give individuals a right to object and stop processing on objection
Fine up to £17,500,000You must tell people, in a clear and separate statement, that they can object to any use of their personal data – especially for direct marketing, profiling or when you rely on legitimate interests. If they object, you must halt that processing unless you can prove compelling grounds that outweigh their rights. For direct marketing, you must stop using their data immediately.
Give the Data Protection Officer independence, resources and senior reporting
Fine up to £17,500,000If your business decides (or is required) to have a Data Protection Officer (DPO), you must involve them in all data‑privacy decisions, give them the budget, staff and access they need, and let them work without receiving instructions or fear of dismissal. The DPO must report directly to the highest level of management, ensuring they can act independently.
Give the DPO independence, resources and top‑level reporting
Fine up to £17,500,000If your business decides to appoint a Data Protection Officer (or must under the UK GDPR), you must let them take part in every data‑protection decision, give them the budget, staff and access they need, and protect them from any instructions, dismissal or penalty for doing their job. The DPO must report straight to your senior management team.
Implement and demonstrate appropriate data protection measures
Fine up to £17,500,000If your business decides how personal data is used, you must put in place suitable technical and organisational safeguards to keep that data safe and to show that you are complying with the UK GDPR. You need to review these measures regularly, adopt data protection policies where appropriate, and you can use approved codes of conduct or certifications to prove compliance.
Implement and demonstrate data protection compliance measures
Fine up to £17,500,000As a data controller you must put in place the right technical and organisational safeguards to protect personal data and be able to show that you are complying with the UK GDPR. This includes adopting suitable data‑protection policies, keeping them up to date, and regularly reviewing the measures you have in place. You need to keep records that prove you are meeting these requirements.
Implement and demonstrate data protection measures
Fine up to £17,500,000If your business processes personal data, you must put in place suitable technical and organisational safeguards and be able to show they work. You need to keep these measures up‑to‑date, adopt data protection policies where appropriate, and you can use approved codes of conduct or certifications to prove compliance.
Implement and demonstrate GDPR compliance measures
Fine up to £17,500,000If your business processes personal data, you must put in place the right technical and organisational steps – such as security controls, data‑protection policies and staff training – to make sure you comply with the UK GDPR. You also need to keep evidence that these measures are in place and review them regularly to stay compliant.
Implement and demonstrate GDPR‑compliant data protection measures
Fine up to £17,500,000As a data controller you must put in place suitable technical and organisational steps to make sure your processing of personal data complies with the UK GDPR, and you must be able to show evidence of that compliance. You should review and update these steps regularly and, where appropriate, adopt data‑protection policies or use approved codes of conduct or certifications as proof of compliance.
Implement and maintain data protection measures and policies
Fine up to £17,500,000If your business decides the purposes and means of processing personal data, you must put in place suitable technical and organisational safeguards to protect that data and be able to prove you are complying with the UK GDPR. You also need to keep these safeguards up‑to‑date, adopt appropriate data protection policies and you can use approved codes of conduct or certifications to demonstrate compliance.
Implement and maintain data protection measures and policies
Fine up to £17,500,000If your business decides how and why personal data is processed, you must put in place suitable technical and organisational steps – such as security controls, staff training and written data protection policies – and keep them up to date. You also need to be able to show evidence that you are processing data in line with the UK GDPR, for example by using an approved code of conduct or certification.
Implement and maintain data protection measures and policies
Fine up to £17,500,000As a data controller you must put in place appropriate technical and organisational safeguards to protect personal data, write a data protection policy (where appropriate), and keep these measures under regular review. You also need to be able to show the ICO that you are complying with the UK GDPR.
Implement and maintain data protection measures and policies
Fine up to £17,500,000You must put in place suitable technical and organisational steps to keep personal data safe and be able to prove you are complying with the UK GDPR. These safeguards should be regularly reviewed and updated, and you should have written data protection policies where appropriate. Using an approved code of conduct or certification can help demonstrate compliance.
Implement and maintain data protection measures and policies
Fine up to £17,500,000As a data controller, you must put in place appropriate technical and organisational safeguards so that any personal data you handle is processed lawfully and securely. You also need to keep these safeguards up‑to‑date, adopt proportionate data‑protection policies, and be able to show the ICO that you are complying.
Implement and maintain data protection measures and policies
Fine up to £17,500,000You must put in place appropriate technical and organisational safeguards for any personal data you process and be able to show they are working. Keep those safeguards, and any data‑protection policies, up to date and review them regularly. You can also follow an approved code of conduct or obtain certification to prove you are complying.
Implement and maintain data‑protection policies and safeguards
Fine up to £17,500,000If your business decides how personal data is used, you must put in place the right technical and organisational measures to protect that data and be able to show the ICO that you are complying with the UK GDPR. This includes having up‑to‑date data‑protection policies and, where appropriate, using recognised codes of conduct or certifications.
Implement and maintain GDPR compliance measures
Fine up to £17,500,000You must put in place the right technical and organisational steps – such as security safeguards, data‑protection policies and risk assessments – to make sure any personal data you handle complies with the UK GDPR, and you must be able to show evidence of this. These measures should be reviewed and updated regularly to stay fit for purpose.
Implement appropriate data security measures
Fine up to £17,500,000You must put in place technical and organisational safeguards that match the risk to the personal data you handle. This includes encrypting or pseudonymising data, keeping systems confidential, reliable and available, having backup and recovery plans, and regularly testing your security. Also make sure anyone who can access the data only does so under your instructions.
Implement appropriate security measures for personal data
Fine up to £17,500,000You must put in place technical and organisational steps that keep personal data safe and match the level of risk. This includes encrypting or pseudonymising data, protecting its confidentiality, integrity and availability, having a plan to restore data after an incident, and regularly testing how effective your security measures are.
Implement appropriate security measures for personal data
Fine up to £17,500,000You must put in place technical and organisational steps that protect any personal data you handle, taking into account the type of data, how you use it and the risks to individuals. This includes things like encrypting data, keeping systems reliable, being able to restore data after an incident, and regularly testing your security arrangements.
Implement appropriate security measures for personal data
Fine up to £17,500,000If your business handles personal data, you must put in place technical and organisational steps that match the level of risk. This includes encrypting or pseudonymising data, keeping systems secure and resilient, being able to restore data quickly after an incident, and regularly testing how effective your security measures are.
Implement appropriate security measures for personal data
Fine up to £17,500,000If your business controls or processes personal data, you must put in place technical and organisational safeguards that match the risk to that data. This means using measures such as encryption or pseudonymisation, keeping data confidential, ensuring it stays available and can be quickly restored after an incident, and regularly testing your security controls.
Implement appropriate security measures for personal data
Unlimited fineYou must put in place technical and organisational safeguards that match the risks to the personal data you handle. This includes using encryption or pseudonymisation, keeping systems reliable and resilient, being able to restore data quickly after a breach, and regularly testing how effective your security controls are.
Implement appropriate security measures for personal data
Fine up to £17,500,000If you handle personal data, you must put in place technical and organisational safeguards that match the level of risk, such as encryption, pseudonymisation, regular testing and a plan to restore data after an incident. You also need to make sure anyone with access to the data only processes it under your instructions.
Implement appropriate security measures for personal data
Fine up to £17,500,000You must put in place technical and organisational safeguards that match the risk of the personal data you handle. This includes things like encrypting or pseudonymising data, keeping your IT systems resilient and able to be restored quickly after an incident, and regularly testing that your security controls work. Using an approved code of conduct or certification can help you demonstrate you meet these requirements.
Implement appropriate security measures for personal data
Fine up to £17,500,000If your business handles personal data, you must put in place technical and organisational steps that keep that data safe – think encryption, regular backups, and protection against unauthorised access. The level of security should match the risk to the people whose data you hold, and you must regularly test that your security works. This duty applies to both data controllers and any third‑party processors you use.
Implement appropriate security measures for personal data processing
Fine up to £17,500,000You must put in place technical and organisational steps that match the risk to keep personal data safe. This includes encrypting or pseudonymising data, ensuring systems stay confidential, available and resilient, being able to restore data after an incident, and regularly testing and reviewing your security controls. The duty applies to any organisation that decides how personal data is processed (controller) or that processes data on behalf of another (processor).
Implement appropriate security measures for personal data processing
Fine up to £17,500,000If your business processes personal data, you must put in place technical and organisational steps that keep that data safe, proportionate to the risks involved. This means using encryption or pseudonymisation, ensuring your IT systems stay reliable and can be restored quickly after a breach, and regularly testing your security controls.
Implement appropriate security measures for personal data processing
Fine up to £17,500,000You must put in place technical and organisational steps that keep any personal data you handle safe, proportionate to the risks. This means using encryption or pseudonymisation, ensuring data stays confidential, intact and available, being able to restore it after an incident, and regularly testing your security controls.
Implement appropriate technical and organisational security measures
Fine up to £17,500,000You must put in place security steps that match the risks of the personal data you handle. This includes things like encrypting or pseudonymising data, keeping your IT systems confidential, reliable and able to recover quickly after a problem, and regularly testing that your security measures work.
Implement data protection by design and by default
Fine up to £17,500,000You must build privacy safeguards into any new system or process that handles personal data, using measures such as pseudonymisation and data‑minimisation. By default, only the data needed for a specific purpose should be collected, stored, accessed and retained, and extra protection is required for services likely used by children.
Implement data protection by design and by default
Fine up to £17,500,000Whenever you collect, store or use personal data, you must build privacy safeguards into your systems from the start and keep them in place while you process the data. This means only collecting the data you really need, using techniques such as pseudonymisation and ensuring that, by default, only authorised people can see the data.
Implement data protection by design and by default
Fine up to £17,500,000You must build privacy safeguards into any new system or process that handles personal data, and set default settings so that only the data needed for a specific purpose is collected, stored and shared. This means using measures such as pseudonymisation, limiting the amount of data collected, and restricting who can see it unless a person explicitly changes the settings.
Implement data protection by design and by default
Fine up to £17,500,000If your business decides how personal data is collected, stored or used, you must build privacy safeguards into your systems from the outset and keep them in place while you process data. This means using techniques such as pseudonymisation, only collecting the data you really need, limiting how long you keep it and restricting who can see it – especially when the service may be used by children.
Implement data protection by design and by default
Fine up to £17,500,000You must embed privacy safeguards into any new system or process that handles personal data, and keep those safeguards in place while you process the data. This means only collecting the data you really need, storing it for as long as necessary, restricting who can see it and using techniques such as pseudonymisation. If you offer online services likely to be used by children, you need extra protection for them.
Implement data protection by design and by default
Fine up to £17,500,000When you decide how to collect, use or store personal data, you must build privacy safeguards into your systems from the start and keep them in place while you process the data. By default you should only collect, keep and share the minimum data needed for each purpose, and you must protect it with measures such as pseudonymisation or access controls.
Implement data protection by design and by default
Fine up to £17,500,000You must build privacy safeguards into every system, service or process that handles personal data. This means using techniques such as pseudonymisation and only collecting, storing and sharing the data that is strictly needed for each purpose. If you provide online services used by children, you need extra protection for their data.
Implement data protection by design and by default
Fine up to £17,500,000When you set up any new system or process that handles personal data, you must build privacy safeguards in from the start and make sure that, by default, only the data you really need is collected, stored, accessed and kept. This means using techniques such as pseudonymisation and setting default settings that limit data collection and retention.
Implement data protection by design and by default
Fine up to £17,500,000You must embed privacy‑protecting safeguards into any system or process that handles personal data. When you decide how to collect, store or use data, use measures such as pseudonymisation and data‑minimisation, and set up defaults so that only the data strictly needed for each purpose is processed, kept and shared. This duty applies to every piece of personal data you handle.
Implement data protection by design and by default
Fine up to £17,500,000When you decide how to collect, store or use personal data, you must build privacy safeguards into your systems from the start and only process the data that is truly needed. This means using measures such as pseudonymisation, limiting what you collect, how long you keep it and who can see it – especially if your service is likely to be used by children.
Implement data protection by design and by default
Fine up to £17,500,000When you decide how to collect, store or use personal data you must build data‑protective safeguards into the very design of your systems and processes. This means using measures such as pseudonymisation and only collecting, keeping and sharing the minimum data needed, with default settings that keep personal information private unless the individual chooses otherwise.
Implement data‑protection by design and by default
Fine up to £17,500,000When your business processes personal data, you must build privacy safeguards into the way you collect, store and use that data from the start and ensure that, by default, only the data needed for a specific purpose is processed. This means using measures such as pseudonymisation, data‑minimisation and setting privacy‑friendly defaults throughout your systems and processes.
Implement safeguards for automated decision‑making
Fine up to £17,500,000If your business makes an important decision about a person using only automated processing that relies on personal data, you must have safeguards in place. You need to tell the person what the decision is, let them put forward their view, give them a chance for a human to review the decision, and provide a way for them to challenge it.
Inform data subjects of right to object and stop processing on objection
Fine up to £17,500,000You must tell anyone whose personal data you hold about their right to object to that processing, and you must cease using their data if they object, unless you can show a stronger legal reason. This covers all processing based on consent, legitimate interests or public‑task grounds, including direct‑marketing and profiling. You also need a simple way for people to object, even automated for online services.
Maintain an independent and well‑resourced Data Protection Officer
Fine up to £17,500,000If you are a data controller or processor, you must make sure your Data Protection Officer (DPO) is involved in all data‑protection matters, has the resources and access they need, and can work without any instructions, dismissal or penalty. The DPO must report straight to the highest level of management.
Maintain independence and support for your Data Protection Officer
Fine up to £17,500,000You must involve your DPO in every issue that relates to personal data, give them the resources and access needed, and let them act without receiving instructions. The DPO must be protected from dismissal or penalty and should report directly to the highest level of management. Data subjects can also contact the DPO about their data and rights.
Maintain independent, well‑resourced Data Protection Officer
Fine up to £17,500,000If your business decides how personal data is used (controller) or processes data for someone else (processor), you must keep your Data Protection Officer (DPO) free from interference, give them the resources they need, involve them in every data‑protection decision, and ensure they report straight to senior management. You cannot give the DPO instructions on how to perform their tasks or dismiss them for doing their job correctly.
Obtain and maintain accreditation as a data‑protection certification body
If your business provides data‑protection certification, you must be accredited by the ICO or the UK national accreditation body, and you must keep that accreditation up to date. This means proving your independence, expertise, and having transparent procedures for issuing, reviewing and withdrawing certifications, as well as handling complaints.
Obtain and maintain accreditation as a data‑protection certification body
If your company provides data‑protection certifications, you must be accredited by the ICO or the UK national accreditation body, prove you are independent and expert, set up clear procedures for issuing, reviewing and withdrawing certifications, handle complaints transparently and report any decisions to the ICO. The accreditation lasts for up to five years and must be renewed on time.
Obtain and maintain accreditation for data‑protection certification bodies
Fine up to £17,500,000If your business issues data‑protection certifications, you must be accredited by the ICO (the Commissioner) or the UK national accreditation body. You need to prove you are independent and expert, follow the approved criteria, have clear procedures for granting, reviewing and withdrawing certifications, manage complaints transparently, avoid conflicts of interest, and renew your accreditation every five years.
Obtain and maintain data‑protection certification (if you choose to)
If you decide to get a UK GDPR certification, you must give the certifying body full details and access to your data‑processing activities, keep the certificate up to date for a maximum of three years and renew it if the required standards are still met. You also have to withdraw the certification if you no longer meet the criteria. The scheme is voluntary but, once taken, it is a binding commitment to uphold the recognised safeguards.
Obtain and maintain data‑protection certification (if you choose to)
If you decide to get a data‑protection certification to show your compliance, you must supply the certifying body with all information and access it needs about your processing activities, keep the certification up to date and renew it every three years. The certification is voluntary and does not reduce your overall GDPR responsibilities.
Obtain and maintain data‑protection certification (if you choose to)
If you want a GDPR certification to demonstrate compliance, you must give the certifying body all the information it needs about your data‑processing activities and grant it access to check them. You also need to keep the certification up‑to‑date and renew it every three years. The certification does not replace your normal GDPR responsibilities.
Obtain and maintain ICO accreditation to issue data protection certifications
If your business provides data‑protection certification, you must be accredited by the ICO or the UK national accreditation body, prove you are independent and suitably expert, and have clear, public procedures for issuing, reviewing, withdrawing certifications and handling complaints. You also need to avoid conflicts of interest and must give the ICO the reasons for any certification decision. Accreditation lasts up to five years and must be renewed.
Obtain and maintain ICO or UK accreditation as a data‑protection certification body
If your organisation wants to issue data‑protection certifications, you must be accredited by the ICO or the UK national accreditation body and keep that accreditation up to date. You must prove your independence and expertise, have clear procedures for issuing, reviewing and withdrawing certifications, handle complaints transparently, and report any decisions on certification to the ICO.
Obtain and manage consent in line with UK GDPR
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove that each person has agreed. The request for consent must be clear, separate from other terms and easy to understand, and people must be able to withdraw it just as easily as they gave it. You also cannot make consent a condition of a service unless it is truly needed for that service.
Obtain and manage valid consent for personal data
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove that each person has freely given clear, specific consent. The consent request must be shown separately from any other terms, written in plain language, and you must let individuals withdraw consent as easily as they gave it. Also, you cannot make consent a condition of a contract unless the data is necessary for that service.
Obtain and manage valid consent for personal data
Fine up to £17,500,000You must be able to prove that anyone whose data you process has freely given clear consent, and that the consent request is presented separately from any other agreements in plain, easy‑to‑understand language. You also need to tell people they can withdraw consent at any time, and make withdrawing as simple as giving consent.
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove that each person has freely given it. The consent request must be clear, separate from other terms, and written in plain language. You also have to tell people they can withdraw consent at any time and make withdrawing as easy as giving it.
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove each person has freely given clear consent. The consent request must be shown separately from any other terms, written in plain language, and you must tell people they can withdraw at any time – and make withdrawing just as easy as giving consent. You also cannot make a contract depend on consent for data that isn’t needed for the service.
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000When you rely on consent to process personal data, you must ask for it in a clear, separate, and easy‑to‑understand way. You need to keep proof of the consent, tell people how they can withdraw it, and make withdrawal as simple as giving consent. Consent must be freely given and not tied to a contract unless it’s truly necessary for that service.
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000You must be able to prove that each individual has freely given clear consent before you process their data. Consent requests must be presented separately from other terms, in an easy‑to‑understand format, and people must be told they can withdraw consent at any time – withdrawal must be as easy as giving consent. Also, you must check that consent isn’t forced by making a contract dependent on processing that isn’t necessary for that contract.
Obtain and verify parental consent for children under 13
Fine up to £17,500,000If your business provides an online service directly to a child, you may only process that child’s personal data if they are at least 13 years old. For children under 13 you must get consent from a parent or guardian and take reasonable steps, using appropriate technology, to confirm that consent is genuine before you process any data.
Obtain and verify parental consent for children under 13
Fine up to £17,500,000If you provide an online service straight to a child, you may only process their data when they are at least 13 years old. For children younger than 13 you must get consent from a parent or guardian and take reasonable steps to verify that consent using suitable technology. Keep records of the age check and the parental consent verification.
Obtain and verify parental consent for children under 13
Fine up to £17,500,000If you run a website or app that is offered directly to children, you may only process a child’s personal data when they are 13 or older. For children under 13 you must get consent from a parent or guardian and take reasonable steps to confirm that consent is genuine, using the technology you have available.
Obtain and verify parental consent for under‑13 users of online services
Fine up to £17,500,000If your business provides an online service directly to children, you can only process a child’s personal data if they are at least 13 years old. For children under 13 you must get consent from a parent or guardian, and you need to make reasonable efforts to check that consent is genuine. This means putting age checks in place and keeping records of how you confirmed parental approval.
Obtain, document and allow withdrawal of valid consent
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove that each individual has freely given that consent. The consent request must be shown separately from any other terms, written in clear language, and you must let people withdraw it as easily as they gave it. You also need to keep records of both the original consent and any later withdrawal.
Obtain, record and allow easy withdrawal of consent
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to prove that the individual gave clear, separate consent. The request must be in plain language and easy to understand, and the person must be able to withdraw consent as easily as they gave it. You also cannot make a contract conditional on consent for processing that isn’t necessary for the service.
Obtain, record and allow easy withdrawal of valid consent
Fine up to £17,500,000When you rely on a person's consent to process their personal data, you must be able to prove they gave it. The request for consent must be clearly separated from any other matters, written in plain language and easy to understand. You must tell people they can withdraw consent at any time and make withdrawing as simple as giving consent.
Obtain, record and manage valid consent for personal data
Fine up to £17,500,000If you rely on consent to process personal data, you must be able to show that each person has freely given it. Consent requests must be clearly separate from other terms, written in plain language, and people must be told they can withdraw at any time – the withdrawal process must be as easy as giving consent. You also must not make consent a condition for a service unless the data is truly needed for that service.
Obtain, record and manage valid consent for personal data
Fine up to £17,500,000If you process personal data on the basis of consent, you must make sure the person clearly agrees, keep proof of that agreement, and let them withdraw it just as easily as they gave it. The consent request must be shown separately from any other terms and must not be tied to a contract unless the data is needed for that contract.
Only process criminal conviction data with proper authority or legal authorisation
Fine up to £17,500,000If your business handles any information about criminal convictions or related security measures, you may only do so when an official authority controls the processing or when UK or relevant international law specifically authorises it and provides safeguards. You must not keep a full register of convictions unless you are a public authority.
Only process personal data for RAS purposes with proper safeguards
Fine up to £17,500,000If your business uses personal data for research, analytics or statistical (RAS) purposes, you may do so only when you actually collect the data, transform it so that individuals can no longer be identified, and when the purpose cannot be achieved without that processing. You must also put in place appropriate safeguards to protect the rights and freedoms of the data subjects.
Prepare and submit data‑protection codes of conduct for ICO approval
If you run an industry association or other body that represents data controllers or processors, you must draft a code of conduct that sets out how the GDPR should be applied in your sector and then send it to the ICO for a formal opinion and approval. Once approved, the code must be registered and published, and it must include a way for the ICO‑appointed monitoring body to check compliance.
Process personal data according to GDPR principles and show compliance
Fine up to £17,500,000If your business collects or uses personal data, you must handle it lawfully, fairly and transparently, only for the reasons you originally stated, keep only what you need, keep it accurate, store it no longer than necessary and protect it against loss or unauthorised access. You also need to be able to prove that you are doing all of this – the ICO can check your records at any time.
Process personal data for RAS only if necessary and with safeguards
Fine up to £17,500,000If your business uses personal data for research, statistical or analytical (RAS) purposes, you may only do so when you are actually collecting the data, turning it into a form that cannot identify individuals, or when the processing is essential for the RAS aim. You must also put appropriate technical and organisational safeguards in place to protect data subjects' rights.
Process personal data for RAS only with justification and safeguards
Fine up to £17,500,000You can only use personal data for research, analytics or statistical (RAS) purposes if you are actually collecting the data, you are turning it into information that cannot identify individuals, or you cannot achieve the purpose any other way. In every case you must put appropriate safeguards in place to protect people’s rights and freedoms.
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000If you use personal data for research or statistical (RAS) work, you may only do so when you actually need the data, you turn it into information that cannot identify anyone, and you have collected it appropriately. You must also put in place suitable safeguards – such as anonymisation, pseudonymisation and security measures – to protect the rights of the individuals whose data you are using.
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000If your business uses personal data for research or statistical purposes, you may do so only when you are actually collecting the data, you need it to achieve the purpose, and you turn it into information that cannot identify individuals. You must also put appropriate safeguards in place to protect data subjects’ rights.
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000If your business uses personal data for research or statistical work, you must first make sure the data is collected, turned into information that cannot identify individuals, or that the work cannot be done without the processing. You also need to put appropriate safeguards in place to protect the data subject’s rights and freedoms.
Process personal data for research only with safeguards
Fine up to £17,500,000If you use personal data for research or statistical work, you may only do so when you are collecting the data, you turn it into a form that can’t identify people, and the purpose can’t be met otherwise. You must also put appropriate safeguards in place to protect individuals’ rights.
Process personal data for research/statistics only with safeguards
Fine up to £17,500,000If you handle personal data for research or statistical purposes, you must only do so when you need the data, you’re converting it into a form that can’t identify individuals, and you have appropriate safeguards in place. You need to put technical and organisational measures (like anonymisation or pseudonymisation) to protect people’s rights before you start processing.
Process personal data in line with GDPR principles
Fine up to £17,500,000If your business handles personal data, you must make sure that data is collected, used and kept lawfully, fairly and transparently, only for clear legitimate purposes, kept accurate and limited to what you need, retained no longer than necessary, and protected against unauthorised access. You also need to be able to show that you are meeting these rules.
Process personal data in line with GDPR principles
Fine up to £17,500,000You must handle any personal data you collect or use in a way that is lawful, fair and transparent, only for the reasons you originally agreed to, and no more than is needed. Keep the data accurate, store it only as long as required, protect it with appropriate security, and be ready to show how you’ve met all these rules.
Process personal data in line with GDPR principles and demonstrate compliance
Fine up to £17,500,000If your business handles personal data, you must do it lawfully, fairly and transparently, only for clear purposes, and keep only what you need. The data must stay accurate, be stored no longer than necessary, and be protected with appropriate security. You also need to be able to show that you are meeting all these rules.
Process personal data in line with GDPR principles and demonstrate compliance
Fine up to £17,500,000You must handle personal data in a way that is lawful, fair, transparent, limited to a clear purpose, kept only as long as needed, accurate and secure. Your business also needs to keep records and be able to show the ICO that you are meeting these standards. This applies to any personal data you collect, store or use.
Process personal data lawfully and demonstrate compliance
Fine up to £17,500,000You must make sure any personal data you handle is processed fairly, legally, for clear purposes, only the data you need, kept accurate and up‑to‑date, stored no longer than necessary and kept secure. You also need to be able to show how you meet these rules, for example by keeping policies, records and evidence of your data‑handling practices.
Process personal data lawfully and demonstrate compliance
Fine up to £17,500,000You must handle any personal data you collect in a way that is legal, fair, limited to the purpose you need, accurate, kept only as long as required and protected against loss or unauthorised access. You also need to be able to show that you are meeting these rules, for example by having policies, records and regular checks.
Process personal data lawfully, fairly, transparently and securely
Fine up to £17,500,000You must handle any personal data you collect or use in line with the GDPR’s seven core principles – only for clear, legitimate reasons, keeping it limited, accurate and up‑to‑date, storing it no longer than necessary and protecting it against loss or unauthorised access. You also need to be able to show that you are doing this, for example by keeping appropriate records and policies.
Process personal data only on controller instructions
Fine up to £17,500,000If your business acts as a data processor (or anyone working for a controller or processor), you must only handle personal data when the controller tells you to, unless the law forces you to do otherwise. You cannot decide to use the data on your own – you need clear instructions from the controller.
Process personal data only on controller's instructions
Fine up to £17,500,000If your business handles personal data on behalf of another organisation (the controller), you may only do so when you have clear, documented instructions from that controller, unless the law specifically requires you to act otherwise. You cannot decide the purposes or means of processing yourself.
Process personal data only on controller's instructions
Fine up to £17,500,000If your business acts as a data processor, or anyone working for a controller who can see personal data, you may only use that data when the controller tells you to, unless UK law forces you to do something different. This means you need clear, documented instructions before you start any processing activity.
Process personal data only on controller’s instructions
Unlimited fineIf your business acts as a data processor, you may only handle personal data when the data‑controller tells you exactly what to do. You cannot decide your own purposes or methods unless UK law specifically requires you to process the data.
Process personal data only on controller’s instructions
Fine up to £17,500,000If your business processes personal data for someone else (the controller), you must only do so when you have clear, documented instructions from that controller. You cannot decide to use, share or change the data yourself unless the law specifically requires you to.
Process personal data only on controller’s instructions
Fine up to £17,500,000If your business processes personal data on behalf of another organisation (the controller), you must only do exactly what the controller tells you to do. You cannot decide to use the data in any other way unless a specific law forces you to.
Process personal data only on the controller's instructions
Fine up to £17,500,000If your business acts as a data processor or works for a controller, you may only handle personal data when you have clear, documented instructions from the controller. You cannot decide to process data on your own, unless UK law specifically requires you to do so. This means you need to keep a paper‑trail that shows every processing activity follows the controller’s direction.
Process personal data only on the controller’s instructions
Fine up to £17,500,000If your business processes personal data for someone else (the controller), you must only do so when the controller tells you how. You cannot decide to use the data in any other way unless a specific UK law forces you to. This means you need clear written instructions and a system to ensure staff follow them.
Process personal data only on the controller’s instructions
If your business processes personal data on behalf of another organisation (the controller), you must only do so when you have clear instructions from that controller. You may only depart from those instructions if UK law specifically requires you to process the data.
Process personal data only on the controller’s instructions
Fine up to £17,500,000If your business acts as a data processor (or anyone working on the controller’s behalf), you must only handle personal data when the controller tells you to, unless another UK law forces you to do so. In practice you need clear, written instructions and a way to prove you followed them.
Process personal data only on the controller’s instructions
Fine up to £17,500,000If your business acts as a data processor (or anyone handling personal data on behalf of a controller), you must only process that data exactly as the controller tells you to, unless the law forces you to act differently. In practice this means you need clear, written instructions from the controller and you must not use the data for any other purpose.
Process personal data only on the controller’s instructions
Fine up to £17,500,000If your business acts as a data processor (or anyone working for a processor or controller), you may only handle personal data when the controller tells you to, unless UK law forces you to act otherwise. In practice this means you need clear, documented instructions from the controller before you start any processing activity.
Process personal data only on the controller’s instructions
Fine up to £17,500,000If your business acts as a data processor – or anyone handling data for a controller – you must only use personal data when the controller tells you to, unless UK law forces you to do otherwise. This means you need clear, documented instructions and must not act on your own initiative.
Process personal data only under a compliant contract with the controller
Fine up to £17,500,000If your business acts as a data processor you must have a written contract with the data controller that sets out what data you can handle, how long, and why. The contract must require you to follow the controller’s instructions, keep data confidential, use appropriate security measures, get written permission before using any sub‑processor, help the controller meet data‑subject rights, delete or return data when the work ends, and allow audits.
Provide clear, free information and enable data‑subject rights
Fine up to £17,500,000If your business processes personal data, you must give people concise, plain‑language information about how you handle their data and let them exercise their GDPR rights (access, correction, erasure, etc.). You must respond to any request without undue delay, usually within the statutory time limit, at no charge unless the request is clearly unfounded or excessive, and you may need to verify the requester’s identity.
Provide clear, free information and facilitate data‑subject rights
Fine up to £17,500,000If your business decides how personal data is used (you are the data controller), you must give people a plain‑language privacy notice and any other required information in writing or electronically. When someone asks to exercise a GDPR right – for example to see, correct or delete their data – you must act on the request promptly, at no cost unless the request is clearly unreasonable, and explain any refusal.
Provide clear info and respond to data subject rights requests
Fine up to £17,500,000You must give people easy‑to‑understand information about how you handle their personal data and be ready to act on any rights they exercise (access, correction, deletion, etc.). Replies have to be given quickly – usually within one month – and you must keep a record of each request and what you did.
Provide clear info and respond to data‑subject rights requests
Fine up to £17,500,000When you handle personal data you must give people clear, plain‑language details about how you use their data and you must deal with any requests they make (e.g., to see, correct or delete their data) promptly. The information must be easy to access, free of charge unless the request is unreasonable, and you may need to verify the person's identity.
Provide clear information and handle data subject rights requests
Fine up to £17,500,000When someone asks to exercise their GDPR rights – for example to see, correct or delete their personal data – you must give them clear, plain‑language information about how you process their data and respond to their request promptly. The response must be in writing or electronic form, free of charge unless the request is clearly unfounded or excessive, and you may need to verify the person's identity first.
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000When you collect personal data, you must give individuals a simple, easy‑to‑understand privacy notice (in writing or electronically). If anyone asks to exercise their GDPR rights, you must help them, respond within the statutory deadline and do it free of charge unless the request is clearly unreasonable. You also need to keep records of what you told them and how you dealt with any request.
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000When you process personal data you must give people the information the law requires (as set out in Articles 13‑14) in plain, easy‑to‑read language, and you must answer any requests to exercise their rights (access, correction, deletion, etc.) quickly and for free. If a request looks unreasonable you can charge a reasonable fee, but you must first prove it is manifestly unfounded or excessive.
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000When someone asks about how you use their personal data, you must give them concise, easy‑to‑understand information in writing or electronically. You also have to deal with any requests to view, correct, delete or restrict their data promptly and for free, unless the request is clearly unreasonable. If you cannot verify who is making the request, you must ask for extra proof before acting.
Provide clear information and promptly handle data subject rights requests
Fine up to £17,500,000You must give people clear, plain‑language details about how you process their personal data, and you must respond to any request they make to access, correct, delete or otherwise control that data. Replies have to be given without undue delay (normally within one month) and free of charge unless the request is clearly unfounded or excessive. If you cannot be sure who is asking, you may ask for extra proof of identity before acting.
Provide clear information and respond to data subject rights requests
Fine up to £17,500,000When an individual asks to exercise any of their data‑protection rights (e.g., access, erasure, correction), your business must give them the required information in plain, easy‑to‑understand language, help them exercise the right, and reply within the statutory time‑limit. Replies must be free of charge unless the request is clearly unfounded or excessive, and you may need to verify the requester’s identity before acting.
Provide clear information and respond to data subject rights requests
Fine up to £17,500,000If your business is a data controller you must give people clear, plain‑language information about how you use their personal data and must answer any request they make to view, correct, delete or move their data. Replies must be given promptly, free of charge unless the request is clearly unreasonable, and you must keep a record of what was sent and when.
Provide clear privacy information and handle data‑subject rights requests promptly
Fine up to £17,500,000If your business processes personal data, you must give people short, clear information about how you use their data and answer any requests they make – such as to see, correct or delete their data – in an easy‑to‑understand format. Replies must be given quickly (normally within one month), for free unless the request is clearly unreasonable, and you must keep a record of what you told them and how you dealt with the request.
Provide data‑subject access to personal data and information
Fine up to £17,500,000When an individual asks you for their personal data, you must tell them whether you hold any such data and, if you do, give them a copy together with key details – why you’re processing it, what kind of data it is, who you share it with, how long you’ll keep it, their rights to correct or delete it, where the data came from and any automated decision‑making involved. You can charge a reasonable fee for extra copies and must supply the information in electronic form if the request is made that way.
Provide data subjects access to their personal data and related information
Fine up to £17,500,000When someone asks you for the personal data you hold about them, you must tell them whether you process their data and, if you do, give them a copy together with details such as why you hold it, what categories of data you have, who you share it with, how long you’ll keep it, their rights, the source of the data and any automated decision‑making. You must do a reasonable search and can charge a modest fee for extra copies, providing the information electronically if requested.
Provide data subjects with access to their personal data
Fine up to £17,500,000If an individual asks, you must tell them whether you hold any personal data about them and give them a copy of that data together with key details such as why you use it, who you share it with, how long you keep it, their rights and any automated decision‑making. You should provide the information in a commonly used electronic form when requested and you may charge a reasonable fee for extra copies.
Provide data subjects with access to their personal data
Fine up to £17,500,000If an individual asks you for the personal data you hold about them, you must tell them whether you hold any data and, if you do, give them a copy together with key information such as why you process it, who you share it with and how long you keep it. You must carry out a reasonable search and can charge a modest fee for extra copies. The response should be in a commonly used electronic format unless the person asks for something else.
Provide data subjects with access to their personal data
Fine up to £17,500,000If anyone asks you for the personal data you hold about them, you must confirm whether you process it and, if you do, give them a copy together with information such as why you hold it, what categories of data you have, who you share it with, how long you’ll keep it and their rights to correct or delete it. You can charge a reasonable fee for extra copies and must supply the information in a common electronic format if the request is made electronically.
Provide data subjects with access to their personal data
Fine up to £17,500,000When someone asks, you must tell them whether you hold any of their personal data and, if so, give them a copy together with key information about why you hold it, what categories it falls into, who you share it with, how long you’ll keep it and their rights. You can charge a reasonable fee for extra copies and must give the information in a common electronic format if requested.
Provide data subjects with access to their personal data
Fine up to £17,500,000If anyone asks you for their personal data, you must tell them whether you hold any about them and, if you do, give them a copy along with key details – why you’re using it, what types of data you have, who you share it with, how long you’ll keep it, their rights, the data’s source, any automated decisions and, for international transfers, the safeguards in place. You should do this after a reasonable search and can charge a modest fee for extra copies beyond the first.
Provide data subjects with access to their personal data
Fine up to £17,500,000If you hold personal data about someone, you must tell them whether you are processing it and, if so, give them a copy of the data together with key information – why you hold it, who you share it with, how long you’ll keep it, their rights, the source of the data and any automated decision‑making. You only need to provide what you can find after a reasonable, proportionate search, and you may charge a reasonable fee for extra copies.
Provide data subjects with access to their personal data
Fine up to £17,500,000When anyone asks to see the personal data you hold about them, you must tell them whether you are processing it and, if you are, give them a copy of that data plus key information – why you hold it, what categories it falls into, who you share it with, how long you’ll keep it, their rights, the source of the data and any automated decision‑making involved. You may charge a reasonable fee for extra copies and must supply the information in a common electronic format unless the requester asks for something else.
Provide data subjects with access to their personal data
Fine up to £17,500,000If anyone asks you for a copy of their personal data, you must confirm whether you hold it and, if you do, give them the data plus key details – why you have it, what categories it falls into, who you share it with, how long you’ll keep it, their rights and any automated decision‑making. You should do this after a reasonable search, usually within a month, and in an electronic format if they prefer. You may charge a reasonable fee for extra copies beyond the first.
Provide data subjects with access to their personal data
Fine up to £17,500,000When an individual asks for a copy of the personal data you hold about them, you must confirm whether you are processing their data and give them a copy together with key information such as why you hold it, who you share it with and how long you’ll keep it. You must carry out a reasonable search, give the first copy free of charge and may charge a modest fee for any extra copies, preferably sending the information electronically if the request is made that way.
Provide information and access for data‑protection certification
If you decide to apply for a UK‑GDPR data‑protection certification, you must give the certification body all the information it needs and let it inspect your processing activities. This helps the body check that you meet the approved certification criteria.
Provide information and access for data‑protection certification
Fine up to £17,500,000If you choose to obtain a UK GDPR certification, you must cooperate with the approved certification body. That means giving them all the details and reasonable access they need to check your data‑processing activities. Without this, the certification cannot be granted or may be withdrawn, and non‑compliance could lead to ICO enforcement.
Provide information and maintain data‑protection certification
If you decide to obtain a GDPR data‑protection certification, you must give the certification body (or the Information Commissioner) all the information and access it needs to check your processing activities. You also need to keep the certification up to date, renew it before the three‑year expiry and surrender it if you no longer meet the criteria.
Provide information to certification body for data‑protection certification
If you decide to obtain a data‑protection certification, you must give the certification body all the details and access it needs to check your processing activities. This includes providing documents, system descriptions and allowing any site visits required for the assessment.
Provide information to data‑protection certification bodies
If you decide to apply for a data‑protection certification (or seal/mark), you must give the certification body all the details and access it needs to check your processing activities. This is the only requirement – the certification itself is voluntary.
Provide information to data subjects when you obtain their data from other sources
Fine up to £17,500,000If you collect personal data about someone from a third party rather than directly from them, you must give that person a clear notice. The notice must include who you are, why you are using the data, what categories of data you hold, who you share it with, how long you keep it, their rights and where the data came from. You must do this within a month of getting the data, or at the latest before you first contact or disclose the data to anyone else.
Provide required data‑subject information when you collect data from other sources
Fine up to £17,500,000If your business receives personal data about an individual from somewhere other than the individual themselves (for example a purchased list or a public register), you must give that person a clear notice with key details about who you are, why you hold the data, who you share it with, how long you keep it and their rights. The notice must be provided within a reasonable period – no later than one month – or at the first contact or the first time you disclose the data to anyone else.
Provide required information when data not obtained directly
Fine up to £17,500,000If your business receives personal data from a source other than the individual (e.g., a third‑party or public record), you must tell the person about who you are, why you’re using their data, what you’ll do with it and their rights. This information has to be given within a month of getting the data, or at the first contact or before you share it with anyone else.
Provide required information when you obtain data from other sources
Fine up to £17,500,000If you receive personal data about someone from a source other than the person themselves, you must give them a clear notice that includes who you are, why you’re using the data, what you’ll do with it, who you’ll share it with, how long you’ll keep it and their rights. You need to give this information within a month of getting the data, or at the first contact or before you first share it with anyone else.
Provide required privacy information to data subjects
Fine up to £17,500,000If you collect personal data about someone without getting it directly from them, you must tell that person what you are doing with their data. This includes who you are, why you need the data, how long you will keep it, who you will share it with, their rights, and any automated decision‑making. You must give this information within a month of getting the data, or at the first contact with the person.
Provide required transparency information to data subjects
Fine up to £17,500,000If you collect personal data from a source other than the individual themselves, you must tell that person what data you hold, why you hold it, who you share it with, how long you’ll keep it, their rights and any automated decisions. This information has to be given within a month of obtaining the data, or at the first contact or disclosure.
Provide right‑to‑object notice and honour objections
Fine up to £17,500,000You must tell individuals, at the latest when you first contact them, that they can object to you using their personal data – especially for direct marketing. If they do object, you must stop processing their data unless you can prove a compelling legitimate reason that overrides their rights.
Provide safeguards for automated decision‑making
Fine up to £17,500,000If your business makes important decisions about a person using only automated processing, you must put safeguards in place. This means giving the person clear information about the decision, letting them comment, providing a way for a human to review the decision, and allowing them to challenge it.
Provide safeguards for automated decisions
Fine up to £17,500,000If your business makes a significant decision about someone that is based wholly or partly on personal data and is carried out automatically, you must put protections in place. You need to tell the person about the decision, let them raise concerns, offer a chance for a human to review it, and give them a way to challenge the outcome.
Provide safeguards for automated decisions about individuals
Fine up to £17,500,000If your business uses fully automated systems to make important decisions that affect a person – for example credit scoring, hiring or profiling – you must put safeguards in place. You need to tell the person about the decision, give them a way to comment, let them ask for a human to review it, and allow them to challenge the outcome.
Provide safeguards for automated decisions about individuals
Fine up to £17,500,000If your business uses fully automated systems to make significant decisions that affect a person (e.g. credit scoring, hiring, or insurance pricing), you must put measures in place to protect their rights. You need to tell them about the decision, let them raise concerns, give them a chance to have a human review it, and allow them to challenge it.
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000If your business makes an important decision about a person using only automated processing (for example, credit scoring or automated hiring), you must put safeguards in place. You need to tell the person how the decision was made, let them comment or provide information, give them a chance to have a human review the decision, and let them challenge it if they think it’s wrong.
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000If your business makes a significant decision about a person that relies wholly or partly on personal data and is generated automatically, you must put protections in place. You need to tell the person about the decision, let them make comments, give them a chance to have a human review it, and provide a way for them to challenge it.
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000If your business makes important decisions about a person using only automated processing (for example, credit scoring or hiring algorithms), you must protect their rights. You need to tell them what the decision is, let them raise concerns, give them a chance to have a human review it, and allow them to challenge the outcome.
Provide safeguards for significant automated decisions
Fine up to £17,500,000If your business uses automated processing that makes important decisions about individuals based on their personal data, you must put safeguards in place. You need to give the person clear information about the decision, let them respond or raise concerns, provide the option for a human to review the decision, and give them a way to challenge it.
Provide safeguards for significant automated decisions
Fine up to £17,500,000If your business makes an important decision about someone – for example a credit score, hiring decision or insurance offer – and that decision is made entirely by a computer using personal data, you must put safeguards in place. You need to tell the person how the decision was reached, let them comment on it, give them a chance to have a human review it, and provide a way to challenge the decision.
Provide transparent information and handle data‑subject rights requests
Fine up to £17,500,000When someone asks you to exercise any of their GDPR rights (e.g., to see, correct or delete their data), you must give them clear, plain‑language information about the personal data you hold and how you use it. You must deal with the request promptly, tell them what action you have taken (or why you are not acting), and do all of this free of charge unless the request is clearly unfounded or excessive. You may also need to verify the requester’s identity before you can act.
Put safeguards in place for automated decisions
Fine up to £17,500,000If your business makes a significant decision about a person that is based on personal data and is carried out entirely by computer, you must have safeguards to protect the individual’s rights. This means you must tell them about the decision, let them make representations, give them the chance to have a human review it, and allow them to challenge it.
Put safeguards in place for fully automated decisions that affect individuals
Fine up to £17,500,000If your business makes a significant decision about a person that is based wholly or partly on personal data and is carried out automatically, you must have clear safeguards. You need to tell the person about the decision, let them raise concerns, give them a chance to have a human review it, and let them challenge it.
Put safeguards in place for significant automated decisions
Fine up to £17,500,000If your business makes an important decision about someone that is driven entirely by automated processing of personal data, you must have a set of safeguards. You need to tell the person about the decision, let them comment, offer a human to review it, and give them a way to challenge it.
Rectify inaccurate or incomplete personal data on request
Fine up to £17,500,000If your business processes personal data, you must promptly correct any mistakes and fill in any gaps whenever an individual asks you to. The correction should be done without undue delay, taking into account why you are processing the data.
Rectify inaccurate or incomplete personal data promptly
Fine up to £17,500,000If a customer tells you their personal details are wrong or missing, you must fix it quickly. You must update the data and, where information is incomplete, ask for any additional information needed to complete the record. This duty applies to any business that decides how personal data is used.
Respect data subjects' right to object and halt processing on objection
Fine up to £17,500,000Anyone can tell you to stop using their personal data, especially for direct marketing, and you must comply unless you can show a stronger legal reason. You must inform people of this right the first time you contact them and give them a clear, easy way to object (including automated options). As soon as an objection is received you must stop the processing and keep a record of it.
Respect data subjects’ right to object and inform them
Fine up to £17,500,000You must tell people, before you first contact them, that they can object to you using their data – especially for marketing or profiling. If they do object, you must stop processing their data unless you can prove a strong legitimate reason to keep it. You also need to let them object automatically online where you provide information‑society services.
Respect data subjects' right to object and stop processing
Fine up to £17,500,000You must tell people, at the first contact with them, that they can object to you using their personal data. If they do object, you must cease processing that data straight away unless you can prove a compelling legal reason to continue. This applies to any personal data you handle for legitimate‑interest, direct‑marketing or similar purposes.
Respect data subjects’ right to object and stop processing
Fine up to £17,500,000You must tell individuals, before you first contact them, that they can object to any use of their personal data and explain how to do so. If someone objects, you must stop processing their data (including for direct marketing) unless you can show a compelling legitimate reason. You also need to let people object automatically when they interact with you online.
Respect data subjects' right to object and stop processing on request
Fine up to £17,500,000You must let people tell you they don’t want you to use their personal data, and you must stop using it (including for marketing) unless you can prove a strong legitimate reason that outweighs their rights. You also have to clearly tell them about this right at your first contact and give them an easy way to object, even automatically online.
Respect data subjects’ right to object to processing
Fine up to £17,500,000You must give people a clear way to object to any of your processing activities (including direct marketing, profiling, or research). When someone objects you must stop using their data unless you can prove a compelling legitimate reason to continue. You also have to tell people about this right when you first contact them.
Restrict automated decisions on special category data
Fine up to £17,500,000If your business makes a significant decision that uses special categories of personal data (e.g., health, ethnicity), you must not rely only on automated processing. You can do so only if you have the person's explicit consent, the decision is needed for a contract or legal reason and the specific legal basis applies, or the processing is justified under Article 6(1)(ea). Put a human check or the required consent/legal basis in place before using automation.
Set up transparent joint‑controller agreement
Fine up to £17,500,000If your business shares control of personal data with another organisation, you must put a clear, written agreement in place that spells out who is responsible for each GDPR duty. The agreement should be transparent, may name a contact point for data subjects, and you must make the core terms available to the people whose data you process.
Stop processing when a data subject objects and tell them they can object
Fine up to £17,500,000If anyone asks you to stop using their personal data for a particular purpose (including marketing or profiling), you must cease that processing unless you can clearly show a compelling legal reason to continue. You also have to make the right to object clear – at the first time you contact a person, you must show a separate, easy‑to‑understand notice of this right.
Support and ensure independence of your Data Protection Officer
Fine up to £17,500,000If your business is a data controller or processor, you must involve your DPO in every data‑protection matter, give them the budget, staff and access they need, and protect them from any interference or dismissal. The DPO must report straight to senior management, so you need a clear reporting line and documented support.
Support and maintain independence of your data protection officer
Fine up to £17,500,000If your business is a data controller or processor, you must involve your Data Protection Officer (DPO) in every data‑protection matter and give them the resources they need. The DPO must be free from your instructions, cannot be dismissed or penalised for doing their job, and must report directly to senior management. Data subjects should also be able to contact the DPO about their data rights.
Support and protect the data protection officer
Fine up to £17,500,000If your business processes personal data, you must make sure the Data Protection Officer (DPO) is involved in every data‑protection decision at the right time, given the resources they need, and kept independent. The DPO must report directly to senior management, cannot be instructed or dismissed for doing their job, and must keep confidentiality. You also need to avoid any conflict of interest for the DPO.
Support and protect the Data Protection Officer
Fine up to £17,500,000If your business processes personal data, you must make sure the appointed Data Protection Officer (DPO) is involved in every data‑protection decision, given the resources and authority they need, and kept independent. The DPO must be able to report directly to senior management, be free from dismissal or punishment for doing the job, and be reachable by data subjects.
Support and protect your Data Protection Officer
Fine up to £17,500,000If your organisation is a data controller or processor and you have appointed a Data Protection Officer (DPO), you must involve the DPO in every data‑protection decision, give them the resources and access they need, and let them work independently. The DPO must report straight to senior management and cannot be dismissed or penalised for doing their job. You also need to let data subjects contact the DPO and avoid any conflict of interest for the role.
Support and protect your Data Protection Officer (DPO)
Fine up to £17,500,000If your business is a data controller or processor and you have appointed a DPO, you must involve them in every data‑protection decision, give them the resources and access they need, and keep them independent – no one may give them instructions or dismiss them for doing their job. The DPO must report directly to senior management, and data subjects can contact the DPO about their rights.
Transfer personal data abroad only with appropriate safeguards
Fine up to £17,500,000You may only send personal data to another country or an international body if the transfer meets a specific condition – an approved adequacy decision, appropriate safeguards (such as standard contractual clauses or binding corporate rules), or a valid derogation – and it does not breach any UK GDPR restrictions. Before any cross‑border data sharing, you must check which condition applies and put the required safeguards in place.
Verify parental consent for children under 13
Fine up to £17,500,000If your online service is offered directly to children, you can only process the data of a child under 13 if a parent or guardian has given consent. You must take reasonable steps to check that this consent is genuine, using technology that is appropriate for the situation.
Verify parental consent for children under 13
Fine up to £17,500,000If you provide an online service directly to children, you may only process the data of kids under 13 if a parent or guardian has given consent. You must take reasonable steps – using the technology you have – to check that this consent really exists. For children aged 13 or over you can rely on their own consent.
Verify parental consent for children under 13
Fine up to £17,500,000If you provide an online service directly to children, you can only handle the personal data of kids under 13 if a parent or guardian gives consent. Your business must take reasonable steps to check that this consent is genuine before you process any of that child's data.
Verify parental consent for children under 13 for online services
Fine up to £17,500,000If your website or app is offered directly to children, you must not process their personal data unless they are at least 13 years old. For younger children you must obtain and be able to confirm consent from a parent or legal guardian, using reasonable checks based on the technology you have.
Verify parental consent for children under 13 for online services
Fine up to £17,500,000If your business offers an online service directly to a child, you may only process the child’s personal data when they are at least 13 years old. For children under 13 you must first obtain consent from a parent or legal guardian and take reasonable steps, using the technology available, to confirm that consent is genuine.
Verify parental consent for children under 13 using online services
Fine up to £17,500,000If your business provides online (information society) services directly to children, you must get consent from a parent or legal guardian for any child younger than 13. You also need to take reasonable steps – using the technology you have – to check that this consent is genuine before you process the child’s personal data.
Verify parental consent for children under 13 using online services
Fine up to £17,500,000If you offer an online service directly to a child, you may only process their data if they are at least 13 years old. For children under 13 you must obtain consent from a parent or guardian and be able to show that you have checked this consent. You need to put reasonable, technology‑appropriate checks in place to verify that the consent really comes from the parent.
Verify parental consent for children under 13 using online services
Fine up to £17,500,000If you offer an online service directly to a child under 13, you may only process their personal data if a parent or guardian has given consent. You must also take reasonable steps, using the technology available, to check that the consent really comes from the responsible adult before you start processing any data.
Verify parental consent for children under 13 using online services
Fine up to £17,500,000If your business provides an online service (a website, app or similar) directly to a child, you can only process that child’s personal data if they are at least 13 years old. For children under 13 you must obtain, and be able to prove, consent from a parent or guardian, and you must take reasonable steps to check that consent is genuine using the technology you have available.
Notifications 36
Inform data subjects of high‑risk personal data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the rights and freedoms of the people whose data you hold, you must tell those individuals promptly and in clear, plain language. You can skip the direct notice only if you used strong protection like encryption, have taken remedial steps that remove the risk, or if notifying would be disproportionate – in which case a public announcement must be made instead.
Notify affected individuals of high‑risk data breaches
Fine up to £17,500,000If a data breach in your business is likely to cause a high risk to the rights or freedoms of anyone whose data you hold, you must tell that person as soon as possible. The notice must be written in clear, plain language and include the details required by the GDPR. You can skip the direct notice only if you have strong safeguards (e.g., encryption), have already removed the risk, or would face disproportionate effort – in which case a public announcement is required.
Notify all data recipients of corrections, deletions or restrictions
Fine up to £17,500,000When you correct, delete or restrict someone's personal data, you must let every organisation or person you previously shared that data with know about the change, unless it’s impossible or would take disproportionate effort. If the data subject asks, you also have to tell them which recipients you have notified.
Notify all recipients when you correct, delete or restrict personal data
Fine up to £17,500,000If you delete, change or limit the use of someone's personal data, you must tell every party you previously shared that data with, unless it’s impossible or would require disproportionate effort. If the individual asks, you also have to tell them who those recipients were.
Notify data recipients of any correction, deletion or restriction of personal data
Fine up to £17,500,000When you correct, delete or limit the use of someone's personal data, you must tell every organisation you previously shared that data with, unless it's impossible or would take disproportionate effort. If the person asks, you also have to tell them which organisations were notified.
Notify data recipients of any rectification, erasure or restriction
Fine up to £17,500,000If you correct, delete or limit the use of personal data, you must inform every organisation you previously shared that data with, unless it is impossible or would take disproportionate effort. If the individual asks, you also have to tell them which recipients were notified.
Notify data recipients of corrections, deletions or processing limits
Fine up to £17,500,000When you correct, delete or restrict a person's data, you must tell every organisation or person you previously shared that data with, unless it is impossible or would take disproportionate effort. If the individual asks, you also have to tell them which recipients received their data.
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000When you correct, delete, or limit the use of someone's personal data, you must tell anyone you previously shared that data with, unless it’s impossible or would take disproportionate effort. If the data subject asks, you also need to tell them who received the data.
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000If you are a data controller and you correct, delete, or limit the processing of personal data, you must tell every organisation or person you previously shared that data with, unless it is impossible or would take a disproportionate amount of effort. If the individual whose data was changed asks, you must also let them know who the recipients were.
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000When you correct, delete or restrict a person's personal data, you must tell every third party you have already shared that data with, unless it is impossible or would take disproportionate effort. If the person asks, you also have to let them know which organisations received their data.
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000When you correct, delete or restrict someone’s personal data, you must tell every organisation you previously shared that data with, unless it’s impossible or would take disproportionate effort. If the individual asks, you also have to let them know which parties you notified.
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000When you correct, delete or restrict someone's personal data, you must let every organisation or person you previously shared that data with know about the change, unless it is impossible or would take a disproportionate amount of effort. If the individual asks, you also have to tell them which recipients were informed.
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the rights and freedoms of the people involved, you must tell those people about it as soon as possible. The notice must be written in clear, plain language and include the key details required by the UK GDPR. You can skip the notice only if you have strong safeguards (e.g., encryption), have taken steps to remove the risk, or if notifying would be disproportionate – in which case you must use a public communication instead.
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000If you discover a personal data breach that could seriously harm the people whose data you hold, you must tell those individuals as soon as possible. The notice must be written in plain language and include the key details required by the law. You can skip the notice only if you have strong protection (e.g., encryption), have fixed the risk, or it would take disproportionate effort, in which case you must use a public announcement instead.
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the people affected, you must tell those people quickly. The notice must be written in clear, plain language and explain what happened and what you are doing about it. You can skip the notice only if the data were encrypted, you have removed the risk, or notifying would require disproportionate effort.
Notify individuals of high‑risk data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the rights or freedoms of the people whose data you hold, you must tell those individuals as soon as possible in clear, plain language. You can skip the direct notice only if you had strong safeguards (e.g., encryption), have already remedied the risk, or would face disproportionate effort – in which case you must use an equally effective public notice.
Notify individuals of high‑risk data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the people whose data you hold, you must tell those individuals as soon as possible. The notice must be written in plain language and include the key information set out in Article 33(3). You can skip the individual notices only if you used strong encryption (or similar) on the data, have taken remedial steps that remove the risk, or the effort would be disproportionate – in which case a public announcement is required.
Notify individuals of high‑risk data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the rights or freedoms of the people affected, you must tell those individuals as soon as possible, using clear and plain language. You can skip direct notification only if the data were encrypted or otherwise protected, you have fixed the problem, or it would take disproportionate effort – in which case a public notice must be used instead.
Notify individuals of high‑risk data breaches
Fine up to £17,500,000If a breach of personal data could seriously harm the people whose data you hold, you must tell those people as soon as possible. The notice must be written in plain language and include what happened, the likely consequences and what you are doing to fix it. You can skip the direct notice only if the data were encrypted, you have removed the risk, or a direct notice would be disproportionate, in which case you must use a public announcement instead.
Notify personal data breaches to the ICO within 72 hours
Fine up to £17,500,000If your business experiences a personal data breach that could harm individuals, you must tell the Information Commissioner’s Office as soon as possible – usually within 72 hours of finding out. You also need to keep a record of the breach and the steps you took to fix it, and provide the ICO with details of what happened, who was affected and how you are responding.
Notify personal data breach to the ICO within 72 hours
Fine up to £17,500,000If your business experiences a personal data breach that could harm individuals, you must tell the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after you become aware of it. You also need to keep a detailed record of the breach, its impacts and the steps you take to fix it.
Notify recipients of corrected, deleted or restricted personal data
Fine up to £17,500,000If your business corrects, deletes or limits the use of someone's personal data, you must inform every organisation or person you previously shared that data with, unless it’s impossible or would take disproportionate effort. If the individual asks, you also have to tell them which recipients received their data.
Notify recipients of data corrections, deletions or processing restrictions
Fine up to £17,500,000When you correct, delete, or restrict a person's personal data, you must tell every organisation you have previously shared that data with (unless it’s impossible or would take disproportionate effort). If the individual asks, you also need to let them know which parties you have notified.
Notify recipients of data corrections, deletions or restrictions
Fine up to £17,500,000If you fix, delete or limit the processing of someone's personal data, you must tell every party you previously shared that data with, unless it is impossible or would take a disproportionate amount of effort. If the individual asks, you also have to let them know which recipients were notified. This ensures that all parties are aware of the change and can act accordingly.
Notify the ICO of a personal data breach within 72 hours
Fine up to £17,500,000If your business suffers a breach of personal data that could harm individuals, you must tell the Information Commissioner’s Office (ICO) as soon as possible – no later than 72 hours after you become aware of it. The report must include what happened, how many people were affected, the likely impact and the steps you are taking to fix it. You also need to keep a record of the breach and any remedial actions taken.
Notify the ICO of personal data breaches
Fine up to £17,500,000If your business suffers a data breach that could affect people's rights or freedoms, you must tell the Information Commissioner’s Office (ICO) as soon as possible – ideally within 72 hours of discovering it. The notification must include what happened, who was affected, the likely impact and what you are doing to fix it. You also need to keep a detailed record of the breach and any follow‑up actions.
Notify the ICO of personal data breaches and keep breach records
Fine up to £17,500,000If your business suffers a data breach that could harm individuals, you must tell the Information Commissioner’s Office (ICO) within 72 hours of finding out, unless the breach is low‑risk. You also need to keep a detailed record of the breach, its effects and the steps you took to fix it, so the ICO can check you complied.
Notify the ICO of personal data breaches and keep records
Fine up to £17,500,000If your business experiences a personal data breach that could harm individuals, you must tell the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after you become aware of it. You must include the details set out in the law and, if you miss the 72‑hour window, explain why. You also need to record the breach, its effects and any remedial action taken, so the ICO can check your compliance.
Notify the ICO of personal data breaches and keep records
Fine up to £17,500,000If a breach of personal data happens in your business and it could affect individuals' rights, you must tell the Information Commissioner’s Office (ICO) as soon as possible – ideally within 72 hours of finding out. You also need to keep a detailed internal record of what happened, the impact, and what you did to fix it.
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000If your business experiences a personal data breach that could affect individuals' rights, you must tell the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after you become aware of it. The report must include what happened, who was affected, the likely impact and what you are doing about it. You also need to keep a written record of the breach and your response.
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000If your business experiences a data breach that could affect the rights or freedoms of individuals, you must report it to the ICO as soon as possible and no later than 72 hours after you become aware of it (unless the risk is negligible). You also have to keep a detailed record of what happened, the impact and the steps you took to fix it.
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000If you suffer a personal data breach that could affect the rights or freedoms of individuals, you must tell the ICO as soon as possible – ideally within 72 hours of discovering it. The notification must include what happened, who was affected, likely consequences and what you are doing about it. You also need to keep a detailed record of the breach and any remedial actions.
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000If your business suffers a data breach that could harm people’s rights or freedoms, you must tell the Information Commissioner’s Office (ICO) as soon as possible – ideally within 72 hours of discovering it. You also need to keep a written record of the breach, the steps you took, and any reasons for a delayed notification.
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000If your business experiences a personal data breach that could harm individuals, you must tell the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after you become aware of it, unless the breach is low‑risk. You also need to keep a detailed record of the breach and what you did about it.
Provide required information to data subjects when you did not collect their data directly
Fine up to £17,500,000If your business receives personal data from a third party or any source other than the individual, you must tell the person whose data it is about who you are, why you hold the data, how long you’ll keep it and what rights they have. This information must be given within a month of receiving the data, or at the first contact you have with the person, or before you share the data with anyone else.
Provide required privacy information to data subjects when data not obtained from them
Fine up to £17,500,000If you collect personal data about someone from a source other than the person themselves, you must tell that person certain details – who you are, why you’re processing the data, what you’ll do with it and their rights – within a month or at the first contact. This ensures transparency and lets individuals exercise their data‑subject rights.
Other requirements 17
Adhere to an approved code of conduct by making binding commitments
Fine up to £17,500,000If you run a company that processes personal data, you can choose to follow an approved code of conduct. If you do, you must put the safeguards from that code into enforceable contracts or other legally binding arrangements. This helps you prove you’re meeting GDPR requirements and can reduce your risk.
Adopt a UK GDPR code of conduct and commit to its safeguards
Fine up to £17,500,000If your business decides to follow an approved UK GDPR code of conduct, you must include the safeguards laid out in that code in your contracts or other legal documents. This means you have to legally bind your data‑processing arrangements to the same rules you would normally follow. It helps show regulators that you’re actively protecting personal data.
Apply for and keep a voluntary data‑protection certification
If you run a business that processes personal data, you can opt for an approved data‑protection certification to show you meet GDPR rules. Once you apply, you must give the certifying body the information and access it requires and keep the certification valid for up to three years, renewing it when required. The certification does not replace your other legal duties under the GDPR.
Cooperate with the ICO on request
Fine up to £17,500,000If the Information Commissioner asks you for information, access to records or assistance in an investigation, you must comply. This duty falls on any organisation that decides how personal data is processed (the controller) and any organisation that processes data on the controller’s behalf (the processor), as well as their representatives. Ignoring the request can lead to very large fines.
Cooperate with the ICO when asked
Fine up to £17,500,000If the Information Commissioner asks you for information, access to records or assistance in an investigation, you must provide it. This applies to any organisation that decides how personal data is processed (the controller) and any third‑party that processes data on the controller’s behalf (the processor). Failing to cooperate can lead to a large fine.
Cooperate with the ICO when asked
Fine up to £17,500,000If you are a data controller or processor, you must help the Information Commissioner’s Office (ICO) whenever they request assistance. This means supplying requested information, documents or access so the ICO can carry out its data‑protection duties. Failure to do so can attract the ICO’s maximum fine.
Cooperate with the ICO when asked
Fine up to £17,500,000If the Information Commissioner asks for information, access to premises or assistance, you – as the data controller or processor – must help. This means responding promptly and providing any documents or explanations the ICO needs to carry out its duties.
Cooperate with the ICO when it requests assistance
Fine up to £17,500,000If the Information Commissioner (the ICO) asks you for help – for example during an investigation or a data‑breach enquiry – you must provide the assistance they need. This includes supplying information, documents or access as requested. Failing to do so can lead to a substantial fine.
Cooperate with the ICO when requested
Fine up to £17,500,000If the Information Commissioner’s Office asks you for information, access to records, or assistance in an investigation, you must provide it. This duty applies to both data controllers and data processors (and any representatives acting on their behalf). Failing to cooperate can lead to a substantial fine.
Cooperate with the ICO when requested
Fine up to £17,500,000If you are a data controller or processor, you must respond to any request from the Information Commissioner’s Office (ICO) for assistance. This includes providing information, access to records or any help the ICO needs to carry out its data‑protection duties. Failure to cooperate can lead to heavy fines and possible criminal prosecution.
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000If a person asks you to fix their personal data, you must promptly correct any mistakes and fill in any gaps, using any extra information they provide. The correction must be carried out without unnecessary delay, and you should keep a record of what was changed.
Enter into and comply with a data processing agreement
Fine up to £17,500,000If your business processes personal data for another organisation (the controller), you must have a written contract that sets out what data you can handle, how long you’ll keep it, the security measures you’ll use and your other duties. You must only follow the controller’s written instructions, get permission before using any sub‑processors, help the controller meet data‑subject requests, delete or return the data when the work ends, and allow the controller to audit your compliance.
Enter into and comply with a data‑processing agreement with the controller
If your business processes personal data for another organisation, you must have a written contract that sets out what data will be handled, for how long and for what purpose. You must only follow the controller’s documented instructions, get written permission before using any sub‑processor, help the controller meet data‑subject rights, delete or return the data when the service ends, and be ready for audits.
Give data subjects required information when you obtain their data from other sources
Fine up to £17,500,000If you collect personal data about someone but you didn’t get it directly from them, you must tell them who you are, why you’re using the data, who you’ll share it with, how long you’ll keep it, their rights and other key details. You have to provide this information within a month of getting the data, or at the first time you contact them or share the data with anyone else.
Give required information to people when you collect their data from other sources
Fine up to £17,500,000If your business obtains personal data about someone without them giving it to you directly, you must tell them who you are, why you’re using their data, what you’ll do with it and their rights. This must be done within a month of getting the data, or at the latest when you first contact them or first share the data with another party.
Provide information to certification body when seeking GDPR certification
If you decide to obtain a data‑protection certification or seal, you must give the certification body all the information and access it needs to check your data‑processing activities. Supplying this data is a condition of being awarded the certification.
Provide required info when you obtain data from third parties
Fine up to £17,500,000If your business receives personal data from somewhere other than the individual (e.g., a supplier, public records), you must tell the person several key details – who you are, why you’re using the data, who you’ll share it with, how long you’ll keep it, their rights, etc. This information has to be given within a month of getting the data, or at the latest when you first contact the person or disclose the data to anyone else.
Policies 2
Adopt a GDPR‑approved code of conduct for data handling
If you collect or process personal data in the UK, you should use a code of conduct that has been approved by the Information Commissioner. The code sets out all the good practice rules you need to follow – from how you collect and store data, to giving customers their rights and dealing with security breaches. Following it helps you stay compliant and reduces the risk of fines.
Provide information to data subjects when you haven’t collected their data directly
Fine up to £17,500,000If you obtain personal data from a source other than the individual (e.g., a public register or a third‑party), you must tell the person who you are, why you’re using their data, what data you hold, who you share it with, how long you’ll keep it and what their rights are. This information must be given within a month of obtaining the data, or at the latest when you first contact the person or disclose the data to another party, and also before you use the data for any new purpose.
Offences and prohibitions 1
Infringe UK GDPR information obligations (Article 14)
Unlimited fineIf you, as a data controller, fail to give the information required by Article 14 when you obtain personal data from a source other than the data subject, you breach the UK GDPR. This breach attracts a penalty under Part 6 of the Data Protection Act 2018, which can include a large administrative fine. The exact amount is set out elsewhere in the Act and can be up to £17.5 million or 4 % of annual worldwide turnover.
Record keeping 2
Correct inaccurate personal data on request
Fine up to £17,500,000If a person asks you to fix incorrect personal data you hold about them, you must update it promptly. You also need to complete any missing information, for example by asking the person for extra details. This duty applies to any business that decides the purpose and means of processing personal data.
Obtain, document and manage valid consent for data processing
Fine up to £17,500,000If you use consent as the legal reason for processing personal data, you must be able to prove that each person agreed, and you must give them a simple way to withdraw that consent at any time. The consent request must be shown separately, in clear and plain language, and you must keep records of the consent and any withdrawals.
Registration and licensing 2
Maintain accreditation to issue data protection certifications
If your business provides data‑protection certifications, you must first be accredited by the Information Commissioner’s Office (ICO) or the UK national accreditation body. Accreditation shows you’re independent, have the right expertise, and run transparent processes for issuing, reviewing and withdrawing certifications. A certification body keeps its accreditation for up to five years and can renew it only if it continues to meet all the requirements.
Maintain accredited certification body status and processes
If your business is a certification body that issues or renews data‑protection certificates, you must be accredited by the ICO (or the UK national accreditation body). You need to show independence and expertise, follow strict rules for issuing, reviewing and withdrawing certificates, keep transparent complaint procedures, and provide the reason for every certification decision. This accreditation lasts 5 years and can be revoked if the conditions are no longer met.
Reporting and filing 12
Cooperate with the ICO when it requests assistance
Fine up to £17,500,000If the Information Commissioner’s Office (ICO) asks you for information, access to records or other help, you must provide it. This duty applies to both data controllers and data processors, so you need to be ready to respond promptly whenever the ICO contacts you.
Inform data subjects of high‑risk personal data breaches
Unlimited fineIf a breach of personal data is likely to cause a high risk to the rights and freedoms of individuals, you must tell the affected people as soon as possible, using clear, plain language and providing the required details. You can skip the direct notice only if the data were encrypted, the risk has been mitigated, or informing each person would be disproportionate – in which case you must make a public announcement instead.
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000If a breach of personal data is likely to cause a high risk to the rights or freedoms of the people concerned, you must tell those individuals as soon as possible, using plain language and the required details. You can avoid direct notification only if the data were encrypted or otherwise protected, you have taken remedial steps that remove the risk, or notifying would be disproportionate – in which case a public notice is acceptable.
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000If you discover a breach that could seriously harm the people whose data you hold, you must tell those individuals promptly, using clear language and the required details. You can skip the direct notice only if the data were protected (e.g., encrypted) or you take other effective measures, otherwise you must use a public announcement.
Notify individuals of high‑risk data breaches promptly
Fine up to £17,500,000If a breach is likely to cause a high risk to people’s rights, you must tell the affected individuals quickly, using clear language and the required details. You don’t have to if the data were encrypted, you’ve already fixed the risk, or notifying each person would be disproportionate effort – in that case you must make a public announcement that reaches them equally. The ICO can also require you to notify.
Notify the ICO of personal data breaches and keep a breach register
Fine up to £17,500,000If your business suffers a personal data breach that could affect people’s rights, you must tell the ICO as soon as possible and no later than 72 hours after you become aware of it (or explain any delay). You also need to record what happened, the impact and the steps you took to fix it, so you can show the ICO you complied.
Provide data subject access to personal data on request
Fine up to £17,500,000If you handle personal data, you must tell any individual who asks whether you hold their data and, if you do, give them a copy together with details such as why you hold it, what categories of data you have, who you share it with and how long you’ll keep it. You must carry out a reasonable search for the information, provide it in an electronic format if the request is made that way, and you may only charge a modest fee for extra copies.
Provide data subjects with access to their personal data
Fine up to £17,500,000If anyone asks, you must tell them whether you hold any of their personal data and, if you do, give them a copy together with key information about why you hold it, who you share it with and how long you’ll keep it. You can charge a reasonable fee only for extra copies beyond the first, and you should normally send the information electronically unless the requester prefers another format. You must also make sure the disclosure does not infringe the rights of other people.
Provide information to certification bodies when seeking GDPR certification
If you decide to obtain a data‑protection certification, you must give the certifying body all the details and access it needs to check your data‑processing activities. The certification does not replace your GDPR obligations, so you must keep the certification up‑to‑date and renew it every three years.
Provide information to data protection certification bodies
Fine up to £17,500,000If you decide to get a data protection certification for your processing activities, you must give the certification body or the Commissioner all the information and access needed to check your processes. Even though the certificate itself is voluntary, you have to cooperate with the certifier as part of the application.
Provide information to obtain a data protection certification
If you want a data protection seal that shows your company meets UK GDPR, you must give the certification body all the information it needs about how you process personal data. This extra step can reassure customers and partners that your privacy practices are good, but you only have to do it if you actively pursue certification.
Provide required information to data subjects when data not collected directly
Fine up to £17,500,000If you obtain personal data from a source other than the individual (for example, a list or a third‑party provider), you must tell the person who the data belong to who you are, why you’re using their data, how long you’ll keep it and what rights they have. This information must be given within a month of getting the data, or at the latest when you first contact them or disclose the data to anyone else.
Penalties for non-compliance
336 penalties under this legislation. 6 carry an unlimited fine.
Appoint a Data Protection Officer and ensure they fulfill core duties
Fine up to £17,500,000
Appoint a Data Protection Officer and publish their contact details
Fine up to £17,500,000
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000
Appoint a Data Protection Officer (DPO)
Fine up to £17,500,000
Appoint a Data Protection Officer (DPO) when required
Fine up to £17,500,000
Appoint a data protection officer where required
Fine up to £17,500,000
Appoint a Data Protection Officer where required
Fine up to £17,500,000
Appoint a Data Protection Officer where required
Fine up to £17,500,000
Appoint a Data Protection Officer where required
Fine up to £17,500,000
Appoint a Data Protection Officer where required
Fine up to £17,500,000
Appoint and publish a Data Protection Officer (DPO)
Fine up to £17,500,000
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000
Carry out a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000
Carry out data protection impact assessments (DPIAs)
Fine up to £17,500,000
Carry out Data Protection Impact Assessments (DPIAs)
Fine up to £17,500,000
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000
Carry out data protection impact assessments for high‑risk processing
Fine up to £17,500,000
Carry out Data Protection Impact Assessments for high‑risk processing
Fine up to £17,500,000
Carry out Data Protection Impact Assessments for high‑risk processing
Fine up to £17,500,000
Conduct a Data Protection Impact Assessment (DPIA) before high‑risk processing
Fine up to £17,500,000
Conduct data protection impact assessments (DPIAs)
Fine up to £17,500,000
Adopt and follow an approved data‑protection code of conduct
Fine up to £17,500,000
Agree a joint‑controller arrangement and disclose it to data subjects
Fine up to £17,500,000
Agree and disclose joint controller responsibilities
Fine up to £17,500,000
Agree and document joint controller responsibilities
Fine up to £17,500,000
Agree and document joint controller responsibilities
Fine up to £17,500,000
Agree and document responsibilities as joint controllers
Fine up to £17,500,000
Agree and document responsibilities with joint controllers
Fine up to £17,500,000
Agree and share responsibilities as joint data controllers
Fine up to £17,500,000
Agree and share responsibilities with joint controllers
Fine up to £17,500,000
Agree joint‑controller responsibilities and inform data subjects
Fine up to £17,500,000
Agree on and share GDPR responsibilities with joint controllers
Fine up to £17,500,000
Allow and respect data subjects’ right to object
Fine up to £17,500,000
Allow data subjects to object and stop processing on request
Fine up to £17,500,000
Apply data protection by design and by default
Fine up to £17,500,000
Avoid fully automated decisions using special‑category data
Fine up to £17,500,000
Avoid sole automated decisions using special‑category data
Fine up to £17,500,000
Comply with data processing contract and data protection duties
Fine up to £17,500,000
Comply with data‑processor responsibilities under UK GDPR
Fine up to £17,500,000
Comply with data‑protection principles and demonstrate accountability
Fine up to £17,500,000
Comply with GDPR data protection principles
Fine up to £17,500,000
Consult ICO before carrying out high‑risk data processing
Fine up to £17,500,000
Consult ICO before high‑risk data processing
Fine up to £17,500,000
Consult ICO before high‑risk processing
Fine up to £17,500,000
Consult ICO before high‑risk processing
Fine up to £17,500,000
Consult ICO before high‑risk processing
Fine up to £17,500,000
Consult ICO before high‑risk processing and supply required information
Fine up to £17,500,000
Consult the ICO before carrying out high‑risk processing
Fine up to £17,500,000
Consult the ICO before high‑risk data processing
Fine up to £17,500,000
Consult the ICO before high‑risk data processing
Fine up to £17,500,000
Consult the ICO before high‑risk data processing
Fine up to £17,500,000
Consult the ICO before high‑risk data processing
Fine up to £17,500,000
Consult the ICO before high‑risk data processing
Fine up to £17,500,000
Contract with controller and control sub‑processors
Fine up to £17,500,000
Cooperate with the ICO on request
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000
Correct inaccurate personal data on request
Fine up to £17,500,000
Correct inaccurate personal data on request
Fine up to £17,500,000
Correct personal data when requested
Fine up to £17,500,000
Do not rely only on automated decisions using special‑category data
Fine up to £17,500,000
Do not rely solely on automated decisions for special category data
Fine up to £17,500,000
Do not rely solely on automated decisions for special‑category data
Fine up to £17,500,000
Do not rely solely on automated decisions using special‑category data
Fine up to £17,500,000
Ensure Data Protection Officer carries out data‑protection duties
Fine up to £17,500,000
Ensure data protection officer carries out required tasks
Fine up to £17,500,000
Ensure DPO carries out advisory, monitoring and ICO liaison duties
Fine up to £17,500,000
Ensure GDPR‑compliant processing of personal data
Fine up to £17,500,000
Ensure GDPR‑compliant processing of personal data
Fine up to £17,500,000
Ensure independent, adequately resourced DPO reporting to senior management
Fine up to £17,500,000
Ensure international data transfers comply with UK GDPR
Fine up to £17,500,000
Ensure international data transfers comply with UK GDPR
Fine up to £17,500,000
Ensure lawful international transfers of personal data
Fine up to £17,500,000
Ensure lawful international transfers of personal data
Fine up to £17,500,000
Ensure lawful international transfers of personal data
Fine up to £17,500,000
Ensure lawful international transfers of personal data
Fine up to £17,500,000
Ensure lawful international transfers of personal data
Fine up to £17,500,000
Ensure lawful transfer of personal data abroad
Fine up to £17,500,000
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000
Ensure lawful transfers of personal data abroad
Fine up to £17,500,000
Ensure lawful transfers of personal data overseas
Fine up to £17,500,000
Ensure lawful use of automated decisions with special personal data
Fine up to £17,500,000
Ensure the Data Protection Officer is independent and properly supported
Fine up to £17,500,000
Ensure your Data Protection Officer carries out core GDPR duties
Fine up to £17,500,000
Ensure your data protection officer carries out GDPR duties
Fine up to £17,500,000
Ensure your Data Protection Officer carries out GDPR duties
Fine up to £17,500,000
Ensure your Data Protection Officer carries out key data protection duties
Fine up to £17,500,000
Ensure your Data Protection Officer carries out key DPO duties
Fine up to £17,500,000
Ensure your Data Protection Officer carries out required duties
Fine up to £17,500,000
Ensure your Data Protection Officer carries out statutory duties
Fine up to £17,500,000
Ensure your Data Protection Officer performs prescribed GDPR tasks
Fine up to £17,500,000
Enter into a compliant data‑processing contract and meet processor duties
Fine up to £17,500,000
Enter into and comply with a data processing agreement with the controller
Fine up to £17,500,000
Enter into and comply with a data processing contract with the controller
Fine up to £17,500,000
Enter into and comply with a data‑processing contract with the controller
Fine up to £17,500,000
Give individuals a right to object and stop processing on objection
Fine up to £17,500,000
Give the Data Protection Officer independence, resources and senior reporting
Fine up to £17,500,000
Give the DPO independence, resources and top‑level reporting
Fine up to £17,500,000
Implement and demonstrate appropriate data protection measures
Fine up to £17,500,000
Implement and demonstrate data protection compliance measures
Fine up to £17,500,000
Implement and demonstrate data protection measures
Fine up to £17,500,000
Implement and demonstrate GDPR compliance measures
Fine up to £17,500,000
Implement and demonstrate GDPR‑compliant data protection measures
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data protection measures and policies
Fine up to £17,500,000
Implement and maintain data‑protection policies and safeguards
Fine up to £17,500,000
Implement and maintain GDPR compliance measures
Fine up to £17,500,000
Implement appropriate data security measures
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data
Fine up to £17,500,000
Implement appropriate security measures for personal data processing
Fine up to £17,500,000
Implement appropriate security measures for personal data processing
Fine up to £17,500,000
Implement appropriate security measures for personal data processing
Fine up to £17,500,000
Implement appropriate technical and organisational security measures
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data protection by design and by default
Fine up to £17,500,000
Implement data‑protection by design and by default
Fine up to £17,500,000
Implement safeguards for automated decision‑making
Fine up to £17,500,000
Inform data subjects of right to object and stop processing on objection
Fine up to £17,500,000
Maintain an independent and well‑resourced Data Protection Officer
Fine up to £17,500,000
Maintain independence and support for your Data Protection Officer
Fine up to £17,500,000
Maintain independent, well‑resourced Data Protection Officer
Fine up to £17,500,000
Obtain and maintain accreditation for data‑protection certification bodies
Fine up to £17,500,000
Obtain and manage consent in line with UK GDPR
Fine up to £17,500,000
Obtain and manage valid consent for personal data
Fine up to £17,500,000
Obtain and manage valid consent for personal data
Fine up to £17,500,000
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000
Obtain and manage valid consent for personal data processing
Fine up to £17,500,000
Obtain and verify parental consent for children under 13
Fine up to £17,500,000
Obtain and verify parental consent for children under 13
Fine up to £17,500,000
Obtain and verify parental consent for children under 13
Fine up to £17,500,000
Obtain and verify parental consent for under‑13 users of online services
Fine up to £17,500,000
Obtain, document and allow withdrawal of valid consent
Fine up to £17,500,000
Obtain, record and allow easy withdrawal of consent
Fine up to £17,500,000
Obtain, record and allow easy withdrawal of valid consent
Fine up to £17,500,000
Obtain, record and manage valid consent for personal data
Fine up to £17,500,000
Obtain, record and manage valid consent for personal data
Fine up to £17,500,000
Only process criminal conviction data with proper authority or legal authorisation
Fine up to £17,500,000
Only process personal data for RAS purposes with proper safeguards
Fine up to £17,500,000
Process personal data according to GDPR principles and show compliance
Fine up to £17,500,000
Process personal data for RAS only if necessary and with safeguards
Fine up to £17,500,000
Process personal data for RAS only with justification and safeguards
Fine up to £17,500,000
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000
Process personal data for RAS purposes only with safeguards
Fine up to £17,500,000
Process personal data for research only with safeguards
Fine up to £17,500,000
Process personal data for research/statistics only with safeguards
Fine up to £17,500,000
Process personal data in line with GDPR principles
Fine up to £17,500,000
Process personal data in line with GDPR principles
Fine up to £17,500,000
Process personal data in line with GDPR principles and demonstrate compliance
Fine up to £17,500,000
Process personal data in line with GDPR principles and demonstrate compliance
Fine up to £17,500,000
Process personal data lawfully and demonstrate compliance
Fine up to £17,500,000
Process personal data lawfully and demonstrate compliance
Fine up to £17,500,000
Process personal data lawfully, fairly, transparently and securely
Fine up to £17,500,000
Process personal data only on controller instructions
Fine up to £17,500,000
Process personal data only on controller's instructions
Fine up to £17,500,000
Process personal data only on controller's instructions
Fine up to £17,500,000
Process personal data only on controller’s instructions
Fine up to £17,500,000
Process personal data only on controller’s instructions
Fine up to £17,500,000
Process personal data only on the controller's instructions
Fine up to £17,500,000
Process personal data only on the controller’s instructions
Fine up to £17,500,000
Process personal data only on the controller’s instructions
Fine up to £17,500,000
Process personal data only on the controller’s instructions
Fine up to £17,500,000
Process personal data only on the controller’s instructions
Fine up to £17,500,000
Process personal data only on the controller’s instructions
Fine up to £17,500,000
Process personal data only under a compliant contract with the controller
Fine up to £17,500,000
Provide clear, free information and enable data‑subject rights
Fine up to £17,500,000
Provide clear, free information and facilitate data‑subject rights
Fine up to £17,500,000
Provide clear info and respond to data subject rights requests
Fine up to £17,500,000
Provide clear info and respond to data‑subject rights requests
Fine up to £17,500,000
Provide clear information and handle data subject rights requests
Fine up to £17,500,000
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000
Provide clear information and handle data‑subject rights requests
Fine up to £17,500,000
Provide clear information and promptly handle data subject rights requests
Fine up to £17,500,000
Provide clear information and respond to data subject rights requests
Fine up to £17,500,000
Provide clear information and respond to data subject rights requests
Fine up to £17,500,000
Provide clear privacy information and handle data‑subject rights requests promptly
Fine up to £17,500,000
Provide data‑subject access to personal data and information
Fine up to £17,500,000
Provide data subjects access to their personal data and related information
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide information and access for data‑protection certification
Fine up to £17,500,000
Provide information to data subjects when you obtain their data from other sources
Fine up to £17,500,000
Provide required data‑subject information when you collect data from other sources
Fine up to £17,500,000
Provide required information when data not obtained directly
Fine up to £17,500,000
Provide required information when you obtain data from other sources
Fine up to £17,500,000
Provide required privacy information to data subjects
Fine up to £17,500,000
Provide required transparency information to data subjects
Fine up to £17,500,000
Provide right‑to‑object notice and honour objections
Fine up to £17,500,000
Provide safeguards for automated decision‑making
Fine up to £17,500,000
Provide safeguards for automated decisions
Fine up to £17,500,000
Provide safeguards for automated decisions about individuals
Fine up to £17,500,000
Provide safeguards for automated decisions about individuals
Fine up to £17,500,000
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000
Provide safeguards for automated decisions affecting individuals
Fine up to £17,500,000
Provide safeguards for significant automated decisions
Fine up to £17,500,000
Provide safeguards for significant automated decisions
Fine up to £17,500,000
Provide transparent information and handle data‑subject rights requests
Fine up to £17,500,000
Put safeguards in place for automated decisions
Fine up to £17,500,000
Put safeguards in place for fully automated decisions that affect individuals
Fine up to £17,500,000
Put safeguards in place for significant automated decisions
Fine up to £17,500,000
Rectify inaccurate or incomplete personal data on request
Fine up to £17,500,000
Rectify inaccurate or incomplete personal data promptly
Fine up to £17,500,000
Respect data subjects' right to object and halt processing on objection
Fine up to £17,500,000
Respect data subjects’ right to object and inform them
Fine up to £17,500,000
Respect data subjects' right to object and stop processing
Fine up to £17,500,000
Respect data subjects’ right to object and stop processing
Fine up to £17,500,000
Respect data subjects' right to object and stop processing on request
Fine up to £17,500,000
Respect data subjects’ right to object to processing
Fine up to £17,500,000
Restrict automated decisions on special category data
Fine up to £17,500,000
Set up transparent joint‑controller agreement
Fine up to £17,500,000
Stop processing when a data subject objects and tell them they can object
Fine up to £17,500,000
Support and ensure independence of your Data Protection Officer
Fine up to £17,500,000
Support and maintain independence of your data protection officer
Fine up to £17,500,000
Support and protect the data protection officer
Fine up to £17,500,000
Support and protect the Data Protection Officer
Fine up to £17,500,000
Support and protect your Data Protection Officer
Fine up to £17,500,000
Support and protect your Data Protection Officer (DPO)
Fine up to £17,500,000
Transfer personal data abroad only with appropriate safeguards
Fine up to £17,500,000
Verify parental consent for children under 13
Fine up to £17,500,000
Verify parental consent for children under 13
Fine up to £17,500,000
Verify parental consent for children under 13
Fine up to £17,500,000
Verify parental consent for children under 13 for online services
Fine up to £17,500,000
Verify parental consent for children under 13 for online services
Fine up to £17,500,000
Verify parental consent for children under 13 using online services
Fine up to £17,500,000
Verify parental consent for children under 13 using online services
Fine up to £17,500,000
Verify parental consent for children under 13 using online services
Fine up to £17,500,000
Verify parental consent for children under 13 using online services
Fine up to £17,500,000
Inform data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify affected individuals of high‑risk data breaches
Fine up to £17,500,000
Notify all data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify all recipients when you correct, delete or restrict personal data
Fine up to £17,500,000
Notify data recipients of any correction, deletion or restriction of personal data
Fine up to £17,500,000
Notify data recipients of any rectification, erasure or restriction
Fine up to £17,500,000
Notify data recipients of corrections, deletions or processing limits
Fine up to £17,500,000
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify data recipients of corrections, deletions or restrictions
Fine up to £17,500,000
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify individuals of high‑risk data breaches
Fine up to £17,500,000
Notify individuals of high‑risk data breaches
Fine up to £17,500,000
Notify individuals of high‑risk data breaches
Fine up to £17,500,000
Notify individuals of high‑risk data breaches
Fine up to £17,500,000
Notify personal data breaches to the ICO within 72 hours
Fine up to £17,500,000
Notify personal data breach to the ICO within 72 hours
Fine up to £17,500,000
Notify recipients of corrected, deleted or restricted personal data
Fine up to £17,500,000
Notify recipients of data corrections, deletions or processing restrictions
Fine up to £17,500,000
Notify recipients of data corrections, deletions or restrictions
Fine up to £17,500,000
Notify the ICO of a personal data breach within 72 hours
Fine up to £17,500,000
Notify the ICO of personal data breaches
Fine up to £17,500,000
Notify the ICO of personal data breaches and keep breach records
Fine up to £17,500,000
Notify the ICO of personal data breaches and keep records
Fine up to £17,500,000
Notify the ICO of personal data breaches and keep records
Fine up to £17,500,000
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000
Notify the ICO of personal data breaches within 72 hours
Fine up to £17,500,000
Provide required information to data subjects when you did not collect their data directly
Fine up to £17,500,000
Provide required privacy information to data subjects when data not obtained from them
Fine up to £17,500,000
Adhere to an approved code of conduct by making binding commitments
Fine up to £17,500,000
Adopt a UK GDPR code of conduct and commit to its safeguards
Fine up to £17,500,000
Cooperate with the ICO on request
Fine up to £17,500,000
Cooperate with the ICO when asked
Fine up to £17,500,000
Cooperate with the ICO when asked
Fine up to £17,500,000
Cooperate with the ICO when asked
Fine up to £17,500,000
Cooperate with the ICO when it requests assistance
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Cooperate with the ICO when requested
Fine up to £17,500,000
Correct inaccurate or incomplete personal data on request
Fine up to £17,500,000
Enter into and comply with a data processing agreement
Fine up to £17,500,000
Give data subjects required information when you obtain their data from other sources
Fine up to £17,500,000
Give required information to people when you collect their data from other sources
Fine up to £17,500,000
Provide required info when you obtain data from third parties
Fine up to £17,500,000
Provide information to data subjects when you haven’t collected their data directly
Fine up to £17,500,000
Correct inaccurate personal data on request
Fine up to £17,500,000
Obtain, document and manage valid consent for data processing
Fine up to £17,500,000
Cooperate with the ICO when it requests assistance
Fine up to £17,500,000
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify data subjects of high‑risk personal data breaches
Fine up to £17,500,000
Notify individuals of high‑risk data breaches promptly
Fine up to £17,500,000
Notify the ICO of personal data breaches and keep a breach register
Fine up to £17,500,000
Provide data subject access to personal data on request
Fine up to £17,500,000
Provide data subjects with access to their personal data
Fine up to £17,500,000
Provide information to data protection certification bodies
Fine up to £17,500,000
Provide required information to data subjects when data not collected directly
Fine up to £17,500,000
Appoint and publish a Data Protection Officer (DPO)
Unlimited fine
Comply with UK GDPR processor obligations
Unlimited fine
Implement appropriate security measures for personal data
Unlimited fine
Process personal data only on controller’s instructions
Unlimited fine
Infringe UK GDPR information obligations (Article 14)
Unlimited fine
Inform data subjects of high‑risk personal data breaches
Unlimited fine
Practical guidance
Our guides explain how to comply with the requirements above.
Compliance & Legal 21
Register with the ICO and pay the data protection fee
How to register with the Information Commissioner's Office and pay the annual data protection fee. Covers who must …
Write a privacy notice that meets UK GDPR requirements
How to write a privacy notice that complies with UK GDPR. Covers required content, plain language requirements, when …
Handle subject access requests (SARs)
How to recognise, process, and respond to subject access requests under UK GDPR. Covers the one-month response deadline, …
Respond to a ransomware attack
Emergency response guide for ransomware attacks. Covers immediate containment, recovery options, reporting requirements, and ransom payment decisions. For …
Respond to data subject access requests (DSARs)
How to handle data subject access requests under UK GDPR. Covers the one-month response deadline, identity verification, exemptions …
International data transfers: UK GDPR requirements
How to legally transfer personal data outside the UK under UK GDPR. Covers adequacy decisions, Standard Contractual Clauses, …
Report a cyber incident
Emergency response guide for reporting cyber attacks and data breaches. Covers who to contact (Report Fraud, ICO, NCSC, …
Data protection annual compliance checklist
Annual checklist for verifying your data protection compliance. Covers ICO fee renewal, privacy notices, records of processing, breach …
Write a GDPR-compliant privacy notice
How to write and maintain a privacy notice that meets UK GDPR requirements. Covers mandatory content under Articles …
Carry out a data protection impact assessment (DPIA)
How to carry out a data protection impact assessment under UK GDPR Article 35. Covers when a DPIA …
Responding to data breaches: legal requirements
What to do when you discover a personal data breach. Covers the 72-hour ICO notification rule, when you …
Data Use and Access Act 2025: what changed for businesses
What the Data (Use and Access) Act 2025 means for UK businesses. Explains the eight key reforms now …
Cookie consent: comply with PECR requirements
How to comply with cookie consent rules under the Privacy and Electronic Communications Regulations 2003 (PECR). Covers consent …
Data protection for businesses
How to comply with UK GDPR and the Data Protection Act 2018. Covers ICO registration, lawful bases for …
Using AI in recruitment and HR
Compliance requirements when using AI for recruitment, screening, and HR decisions. Covers equality law risks, data protection obligations, …
Assess your AI compliance obligations
Step-by-step guide to assessing what AI compliance obligations apply to your business. Covers inventorying AI systems, identifying personal …
Set up an AI governance framework
How to establish accountability structures, risk processes, and oversight for AI systems in your business. Covers accountability and …
AI transparency and explainability obligations
What transparency and explainability mean for AI systems and how to meet the obligations. Covers UK GDPR requirements …
AI compliance checklist
Quick verification checklist covering all major AI compliance obligations. Use this checklist to confirm your business meets its …
Create a data retention policy
How to write and implement a data retention policy that satisfies the UK GDPR storage limitation principle. Covers …
Approvals and registrations you need before trading
Understanding the approvals, registrations, and licences your business needs before you can legally start trading. Covers universal registrations, …
Sector-Specific 6
Annual retail compliance checklist
Quick annual compliance verification for established retailers. Covers consumer rights, pricing, age verification, data protection, Sunday trading, fire …
NHS Data Security and Protection Toolkit compliance
How to complete the NHS Data Security and Protection Toolkit (DSPT) annual self-assessment if you handle NHS patient …
Data protection and CCTV for hospitality businesses
How to comply with UK GDPR and PECR in hospitality, covering CCTV use, guest booking data, wifi login …
Data protection for retail businesses
UK GDPR compliance for retail businesses. Covers customer data handling, CCTV obligations, marketing consent, loyalty programme data, breach …
Data protection for healthcare providers
How healthcare providers must handle patient data under UK GDPR, including special category health data requirements, Caldicott Principles, …
Data protection for security CCTV and body-worn cameras
Data protection obligations for private security companies operating CCTV systems and body-worn cameras. Covers the two legal frameworks …
Growth & Strategy 2
Email marketing: PECR and UK GDPR requirements
How to send compliant marketing emails under PECR and UK GDPR. Covers consent requirements, the soft opt-in exception …
Electronic marketing rules (PECR)
How to comply with the Privacy and Electronic Communications Regulations 2003 when sending marketing emails, texts, and making …
Digital & Technology 2
Cyber security requirements for UK businesses
How to protect your business from cyber threats and comply with UK cyber security requirements. Includes Cyber Essentials …
Implement age assurance on your platform
Practical guide to implementing age assurance on your online platform. Covers choosing between age verification and estimation, evaluating …
Sections and provisions
119 classified provisions from this legislation.
Duties 34
- s.5 Principles relating to processing of personal data reasonable step
- s.7 Conditions for consent
- s.8 Conditions applicable to child's consent in relation to information society services Paragraph 1
- s.12 Transparent information, communication and modalities for the exercise of the rights of the data subject information referred
- s.14 Information to be provided where personal data have not been obtained from the data subject
- s.15 Right of access by the data subject available information as
- s.16 Right to rectification
- s.19 Notification obligation regarding rectification or erasure of personal data or restriction of processing recipient
- s.21 Right to object time
- s.24 Responsibility of the controller
- s.25 Data protection by design and by default such measures
- s.26 Joint controllers
- s.28 Processor The processor
- s.29 Processing under the authority of the controller or processor
- s.31 Cooperation with the Commissioner
- s.32 Security of processing
- s.33 Notification of a personal data breach to the Commissioner is unlikely
- s.34 Communication of a personal data breach to the data subject is likely
- s.35 Data protection impact assessment
- s.36 Prior consultation of its powers referred
- ... and 14 more duties
Offences and penalties 2
Powers 14
- s.23 Restrictions
- s.58 Powers
- s.77 Right to lodge a complaint with the Commissioner
- s.78 Right to an effective judicial remedy against the Commissioner
- s.79 Right to an effective judicial remedy against a controller or processor
- s.80 Representation of data subjects
- s.85 Processing and freedom of expression and information
- Appropriate safeguards: further provision Appropriate safeguards: further provision
- Further provision about automated decision-making Further provision about automated decision-making
- Further provision about processing of special cate Further provision about processing of special categories of personal data
- Purpose limitation: further processing Purpose limitation: further processing
- Restriction in the public interest Restriction in the public interest
- Transfers approved by regulations Transfers approved by regulations
- Transfers subject to appropriate safeguards: furth Transfers subject to appropriate safeguards: further provision
Definitions 5
- s.4 Definitions direct marketing tribunal
- Automated processing and significant decisions Automated processing and significant decisions
- Meaning of “applicable time period” Meaning of “applicable time period” the applicable time period The relevant time
- Periods of time Periods of time the Periods of Time Regulation
- The data protection test The data protection test
Exemptions 17
- s.2 Material scope
- s.6 Lawfulness of processing
- s.9 Processing of special categories of personal data
- s.11 Processing which does not require identification
- s.13 Information to be provided where personal data are collected from the data subject
- s.17 Right to erasure (‘right to be forgotten’)
- s.18 Right to restriction of processing
- s.20 Right to data portability
- s.27 Representatives of controllers or processors not established in the United Kingdom
- s.30 Records of processing activities
- s.41 Monitoring of approved codes of conduct
- s.47 Transfers subject to appropriate safeguards: Binding corporate rules
- s.49 Derogations for specific situations
- s.82 Right to compensation and liability
- s.86 Processing and public access to official documents
- s.95 Relationship with domestic law made before IP completion day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
- Regulations made by Secretary of State Regulations made by Secretary of State