| Guvnor

What this means for your business

63 obligations

63 penalties

7 can imprison

41 guides

Enforced by: ICO, Forestry Commission
Applies to: United Kingdom
On this page: 63 compliance obligations, 41 practical guides across 6 topics

Read full text on legislation.gov.uk

What you must do

63 compliance obligations under this legislation — 7 can result in imprisonment.

Appointments 2

If you process personal data, you must name a qualified data protection officer (DPO) – unless you are a court or other judicial body acting in that capacity. Choose someone with strong knowledge of data protection law and the ability to carry out the DPO tasks, then make their contact details publicly available and tell the ICO about them.

Data Controller s.69 ICO unless the controller is a court or other judicial authority acting in …

If the ICO sends you an assessment notice that says a report must be prepared, you must name a suitable person to do it within the time limit set in the notice. You also have to give that person any reasonable help they need to complete the report. Failure to do so will allow the ICO to appoint someone on your behalf and may lead to a fine.

Data Controller s.146A ICO When an ICO assessment notice requires you to arrange for an approved …

Risk assessment 1

If your business intends to process personal data in a way that could cause a high risk to people’s rights – for example large‑scale profiling, using new technologies or processing special categories of data – you must complete a Data Protection Impact Assessment (DPIA) first. The DPIA must set out what you plan to do, the risks involved and the steps you’ll take to protect the data, and it must be finished before you start the processing.

Data Controller s.64 ICO When a type of processing is likely to result in a high …

Management duties 44

If your business shares control of personal data with another organisation, you must work together to decide who is responsible for each data protection duty, record those responsibilities transparently, and appoint one of you as the point of contact for individuals whose data you process.

Data Controller s.104 ICO when your business is a joint controller with one or more other …

If your organisation shares control of personal data with another public authority, you must work out who does what to comply with the data protection rules. You need a clear, written agreement setting out each party’s duties and decide which controller will handle enquiries from the people whose data you process.

Data Controller s.58 ICO When two or more competent authorities jointly determine the purposes and means …

Before you start any new way of using personal data, you must look at how it could affect the people concerned and decide what could go wrong. Then you need to put technical and organisational safeguards in place to meet the data‑protection principles and reduce any risks. This has to be done before any processing actually begins.

Data Controller s.103 ICO when planning a new type of personal data processing

If your business sends personal data for a law‑enforcement purpose to a recipient outside the UK, you must first check whether the same data would be subject to any UK legal restrictions if it were sent to a UK competent authority. If such restrictions would apply, you must tell the overseas recipient what they are and require the recipient to comply with them.

Data Controller s.80 ICO When you transmit or otherwise make available personal data for a law‑enforcement …

If your business makes a significant decision that relies on sensitive personal data (e.g., health, race, religious beliefs), you cannot let a computer make that decision on its own. You must either have the data subject’s explicit consent for the processing or be authorised by law to do so. In practice this means putting a human in the loop or proving you have the needed consent/legal basis.

Data Controller s.50B ICO When making a significant decision that is based wholly or partly on …

If you plan to set up a new filing system and a Data Protection Impact Assessment shows a high risk to people's rights, you must ask the ICO for advice before you start processing the data. You send the ICO the DPIA (and any other information they request) and wait for their written advice. The ICO must reply within six weeks, which can be extended by a month for very complex projects.

Data Controller s.65 ICO When a DPIA under s.64 indicates high risk to individuals' rights and …

If a person asks you to fix their personal data that is wrong, you must do it promptly. If the data is missing information, you must add what’s needed, or you can provide a supplementary statement where appropriate. If you need to keep the incorrect data for evidence, you must instead restrict its processing.

Data Controller s.46 ICO When a data subject requests correction or completion of their personal data

If your business decides how and why personal data is used, you must make sure that handling meets the six data‑protection principles – it must be lawful, purpose‑limited, adequate, accurate, kept only as long as needed and kept secure. You also need to be able to show the ICO that you are meeting those rules, so you must have the right policies, records and processes in place.

Data Controller s.34 ICO when acting as a data controller for personal data

If your business processes personal data for law‑enforcement purposes and keeps it for archiving, scientific/historical research or statistical analysis, you must make sure it is done in the public interest and does not target any individual or cause substantial harm or distress. You need to check each processing activity, document the purpose and keep records showing the safeguards are applied.

Data Controller s.41 ICO When processing personal data for law‑enforcement purposes for archiving, scientific/historical research, or …

If your business (as a data controller) needs to send personal data to a third country or an international body for law‑enforcement reasons, you must only do so when three conditions are met – the transfer is necessary, it has regulatory approval or appropriate safeguards, and the recipient is an authorised law‑enforcement authority. You also need authorisation from the relevant EU/UK member‑state unless an urgent security exception applies, and you must inform that authority if you go ahead without authorisation.

Data Controller s.73 ICO When transferring personal data to a third country or international organisation for …

If you are a data controller you must not send personal data to another country or to an international organisation unless that move is strictly necessary and proportionate for your legal duties or for certain security‑intelligence purposes. Before any cross‑border transfer you need to check it fits one of these narrow exceptions and keep a record of why it does.

Data Controller s.109 ICO When transferring personal data to a country or international organisation outside the …

You must only collect, use and keep personal data that is truly needed for a defined purpose. Anything extra or irrelevant must not be gathered or must be removed. This requires you to regularly check what you hold and why, and delete data that is excessive or no longer required.

Data Controller s.88 ICO When processing personal data

If a data subject asks you to delete their information, or the law requires you to delete it, you must do so without delay. If you must keep the data for legal evidence, you should stop processing it instead. You also have to restrict processing when you cannot confirm the data’s accuracy after a challenge.

Data Controller s.47 ICO When a data subject requests erasure, when you have a legal duty …

If a person thinks you have broken the UK GDPR, they can complain directly to you. You must make it easy for them to complain (for example, an online form), confirm you have received the complaint within 30 days, investigate promptly, keep them updated on progress and tell them the final outcome.

Data Controller s.164A ICO When a data subject submits a complaint about a possible GDPR breach

If you handle personal data that is covered by a framework document issued under the Data Protection Act, you must take that document into account when you process the data. In practice this means checking the document’s rules and making sure your data‑handling activities comply with them.

Data Controller s.194 ICO When processing personal data that is subject to a framework document issued …

If your business sends advertising or marketing messages – via email, SMS, post, or any other channel – you must do so in line with the Direct Marketing Code published by the Information Commissioner’s Office (ICO). The code sets out how to obtain consent, how to handle opt‑outs, and other best‑practice rules. By following it you keep your marketing lawful and avoid data‑protection penalties.

Data Controller s.122 ICO When carrying out any form of direct marketing

If your business is a data controller and has appointed a Data Protection Officer (DPO), you must assign the DPO a set of key duties. The DPO must advise you, any processors and staff about their data‑protection obligations, help with impact assessments, act as the main contact for the ICO, and monitor compliance with your policies and the law. They also need to allocate responsibilities, raise awareness, train staff and run required audits.

Data Controller s.71 ICO Only applies if your organisation is required to appoint a DPO

If your business receives a request for personal data that is clearly unreasonable or repetitive, you can charge a reasonable fee or refuse the request. When you refuse, you must tell the requester why and let them know they can complain to the ICO, and you must do this without undue delay and within the statutory time limit.

Data Controller s.53 ICO When a data‑subject request is manifestly unfounded or excessive

You must put in place appropriate technical and organisational safeguards – such as security controls, staff training and a written data protection policy – to ensure any personal data you handle complies with the Data Protection Act. You also need to be able to show how you meet the requirements and regularly review and update those measures.

Data Controller s.56 ICO

If your business handles personal data, you must put suitable security steps in place – like encryption, strong passwords, access controls and staff training – to stop accidental or unauthorised loss, theft, alteration or disclosure. The aim is to keep the data safe throughout its whole life‑cycle.

Data Controller s.91 ICO

You must put in place technical and organisational safeguards that match the risks of any personal data you handle. If you use automated systems, you also need to assess those risks and ensure you can prevent unauthorised access, keep accurate processing logs, maintain system availability and protect data from corruption.

Employer s.66 ICO

If you handle personal data as a controller or processor you must put in place technical and organisational security steps that match the risks. This means stopping unauthorised access, keeping clear records of what processing takes place, making sure systems keep working (or can be restored quickly) and protecting data from corruption, especially when you use automated processing.

Employer s.107 ICO when processing personal data

If you decide how your business will handle personal data, you must build data‑protection safeguards into that design and keep them in place while you process the data. By default you should only collect, store, use and share the data that is strictly needed for each purpose, and you must limit how much is kept, how long it is stored and who can see it without the individual having to step in.

Data Controller s.57 ICO

You must put in place the right technical and organisational steps so that the way you handle personal data meets the Data Protection Act, and you must be able to show the ICO that you are complying.

Data Controller s.102 ICO

If someone asks you to correct, delete or limit the use of their personal data, you must tell them in writing whether you have complied or why you have refused, and you must do this without undue delay and within the statutory time limit (normally one month). You also need to record the reasons for any restriction, notify the original source of any inaccurate data and any third‑party recipients, and let the person know when a restriction is lifted.

Data Controller s.48 ICO When a data subject requests rectification, erasure or restriction of their personal …

Whenever your business processes personal data for law‑enforcement purposes you must make sure the data is correct, up‑to‑date and clearly separated by its type (facts, assessments, or subject category). Before you share the data you must check its quality, include information about its accuracy, and tell the recipient immediately if you later discover any error.

Data Controller s.38 ICO When processing personal data for law‑enforcement purposes

If your business processes personal information, you must make sure the data you hold is correct and, when needed, updated. This means checking for errors, correcting them promptly and having a system for people to tell you about changes to their details. Ongoing attention to data quality is required.

Data Controller s.89 ICO Whenever you process personal data

You must not hold personal data for longer than necessary for the reason you collected it. Set clear retention periods, review the data regularly and securely delete or anonymise it when it’s no longer required. This helps you stay compliant and avoid hefty ICO fines.

Data Controller s.90 ICO

When your business processes personal data for police or other law‑enforcement purposes, you must only collect and use data that is strictly necessary for that specific purpose. The data must be adequate, relevant and not go beyond what is needed, so you should review any such processing and remove excess information.

Data Controller s.37 ICO Processing personal data for law‑enforcement purposes

When you collect personal data, you must clearly state why you are doing so and use it only for that reason. You can only reuse the data for other purposes if the law allows it, it is necessary and proportionate, or it falls under compatible uses such as archiving, research or statistics with proper safeguards.

Data Controller s.87 ICO Whenever you collect or process personal data

If your business collects personal data for a law‑enforcement reason, you must clearly state the exact purpose at the time you collect it and ensure any later use is compatible with that purpose. You may only reuse the data for another law‑enforcement purpose if you have legal authorisation and it is necessary and proportionate. Using the data for anything else without a legal basis is not allowed.

Data Controller s.36 ICO When you collect personal data for a law‑enforcement purpose

You must only handle personal data if you have a legal basis – such as the individual's consent or another permitted reason – and you must do so in a fair way. This means checking that each use of personal data meets GDPR rules, keeping records of the basis you rely on, and respecting people’s rights to see, correct or delete their data.

Data Controller s.2 ICO whenever you process personal data

If your business processes personal data as a processor (or on behalf of a controller), you may only do so when you have clear instructions from the controller or when the law requires it. Any other use of the data is prohibited and could trigger a large ICO fine.

Data Processor s.60 ICO when you have access to personal data as a processor or acting …

If your business acts as a data processor or works under a controller’s authority, you must not handle personal data unless you have clear instructions from the controller or you are doing it to meet a legal requirement. In practice this means you need documented directions before any processing and you must keep evidence of the legal basis you’re relying on.

Data Processor s.106 ICO Whenever you have access to personal data as a processor or act …

When a person asks for their personal data or other information under data‑protection rights, you must give it to them in a short, easy‑to‑understand format that’s simple to access. You can use electronic means, and if the request was made in a particular form (e.g., email) you should respond in the same form where practical, without charging a fee.

Data Controller s.52 ICO When a data subject makes a request under sections 45, 46, 47, …

If your business is a data controller you must give your Data Protection Officer (DPO) the time, budget and access they need to advise on every data‑protection issue. The DPO must work independently – you cannot give them instructions, put them in conflicting roles or punish them for doing their job – and they must report straight to the most senior level of management. Data subjects also need to be able to contact the DPO about their data and rights.

Data Controller s.70 ICO When you have appointed a Data Protection Officer (as required under the …

When someone asks for the personal data you hold about them, you must tell them whether you have any, and if you do, give them a clear copy of that data plus key details about how you use it. You must do this within one month (or up to two extra months for complex requests) after you receive the request and any required identity information, and you can only charge a reasonable fee where permitted.

Data Controller s.94 ICO When an individual makes a subject access request (SAR) for their personal …

If your business makes a significant decision about a person that is based on personal data and is carried out entirely by automated processing, you must put safeguards in place. This means giving the person clear information about the decision, allowing them to object, providing a chance for a human to review the decision, and letting them challenge it – unless one of the limited exemptions applies.

Data Controller s.50C ICO When a significant decision about a data subject is made using automated …

When someone asks for the personal data you hold about them, you must give them a written copy (and explain any technical terms) unless that is impossible or they agree to another format. You don’t have to repeat the same request soon after the first one unless a reasonable amount of time has passed, taking into account the type of data, why you process it and how often it changes.

Data Controller s.95 ICO when a data subject makes a subject access request

If your business uses another company to process personal data for you, you must only choose processors who can guarantee appropriate technical and organisational safeguards. You must get written permission before they use any sub‑processor and have a written contract that sets out the processing details, duties and how data will be returned or destroyed.

Data Controller s.59 ICO when you engage a processor to handle personal data on your behalf

If your business handles personal data for any law‑enforcement activity, you must protect that data with appropriate technical and organisational safeguards. This means preventing unauthorised access, loss, destruction or damage at all times.

Data Controller s.40 ICO When you process personal data for law‑enforcement purposes

If your business uses a third‑party to process personal data, you must only work with processors who have appropriate security measures in place and can give you the information you need to prove the processing complies with the Data Protection Act. Keep records of these assurances so you can show compliance if asked.

Data Controller s.105 ICO Whenever you engage a processor to handle personal data on your behalf

If your business handles personal data for law‑enforcement purposes, you must not keep it longer than needed. You need to decide how long you will keep such data and check regularly whether you still need to hold it, deleting it when it’s no longer necessary.

Data Controller s.39 ICO When processing personal data for any law‑enforcement purpose

When your business sends personal data outside the UK, you must require that any later transfer of that same data to another third country or international body can only happen with your prior authorisation (or the UK authoriser’s). If a transfer occurs without authorisation you must tell the UK authoriser straight away, unless an emergency national‑security exception applies.

Data Controller s.78 ICO Whenever you make a transfer of personal data to a third country …

Other requirements 2

If the Information Commissioner asks you for information, documents or access to your data‑processing activities, you must provide it. This applies to any organisation that decides how personal data is used (controller) or processes data on behalf of another (processor). Failing to cooperate can lead to substantial ICO fines.

Data Controller s.63 ICO When the ICO makes a formal request for assistance

If your business processes personal data and the outcomes are used to make decisions about a person, that person can ask you to explain how the decision was reached. You must give them a clear explanation of the reasoning behind the processing, and you must do it promptly.

Data Controller s.98 ICO When a data subject requests information about the reasoning behind processing that …

Policies 2

If your business is a credit reference agency, any time you respond to a data subject access request you may only provide personal data about the person's financial standing unless they ask for other information. You also have to attach a brief statement telling them they can ask for any wrong information to be corrected under the Consumer Credit Act.

Data Controller s.13 ICO When you are a credit reference agency responding to a data subject …

If your business processes sensitive personal data based on a person’s consent or a Schedule 8 condition, you must have a written policy that explains how you will meet the data protection principles and how long you will keep or erase that data. Keep this policy while you’re processing the data and for six months after you stop, review it regularly and show it to the ICO if they ask.

Data Controller s.42 ICO Processing sensitive personal data based on consent or a Schedule 8 condition

Offences and prohibitions 10

If a person asks for their personal data (or a copy of it) under the data‑subject access right and you, as the data controller, or anyone acting on your instructions, deliberately change, delete, hide or destroy that data to stop the request being fulfilled, you commit a criminal offence. A conviction can lead to an unlimited fine (up to the statutory maximum of £17.5 million or 4 % of worldwide turnover) and up to two years’ imprisonment.

Data Controller s.173 ICO

If your company breaches the Data Protection Act and it is proven that a director, manager, secretary or any senior officer gave consent, turned a blind eye, or was negligent, that person is also guilty of the offence. The individual can be prosecuted just like the company and faces the same penalties, including unlimited fines and possible imprisonment.

Director/Officer s.198 ICO

If your organisation breaches any of the data‑protection offences listed in sections 119, 173, 132, 144, 148, 148C, 170, 171, 184 or paragraph 15 of Schedule 15, you can be prosecuted. On conviction you face an unlimited fine – whether the case is heard in a magistrates’ court (summary) or sent to the Crown Court (indictable). No imprisonment is specified for these offences.

Any Person s.196 ICO

If your business receives an information or assessment notice from the ICO and you deliberately destroy, hide, block or falsify any of the requested data, documents or equipment – or let someone else do it – you are committing a criminal offence. On conviction you could face an unlimited fine and up to two years in prison.

Any Person s.148 ICO

If your business (or any individual acting for it) answers an information notice from the ICO and either knowingly or recklessly gives a statement that is false in a material way, you commit a criminal offence. Conviction can lead to an unlimited fine and possibly imprisonment.

Any Person s.144 ICO

If you—or anyone acting for your business—answers an interview notice from the ICO (or Forestry Commission) and you give a statement that you know is false, or you are reckless as to whether it is true, you commit a criminal offence. A conviction can result in an unlimited fine and, in serious cases, imprisonment.

Any Person s.148C ICO

If you deliberately block the ICO (or its equivalent regulator) from inspecting personal data that it needs to look at under the UK's international obligations, or you refuse to give reasonable help when asked, you commit a criminal offence. A conviction can lead to an unlimited fine and, in the Crown Court, up to two years’ imprisonment.

Any Person s.119 ICO

If you (or anyone in your business) deliberately or recklessly take data that has been de‑identified and make it possible to identify the original person again, without the consent of the data controller who de‑identified it, you commit a criminal offence. The same applies if you then process that re‑identified data without the controller’s consent. Conviction can lead to an unlimited fine and up to two years’ imprisonment.

Any Person s.171 ICO

If you ask someone – for example a job applicant, employee, or supplier – to give you a relevant record (such as a criminal‑record check) as a condition of recruitment, continued employment, a service contract, or the provision of goods or services to the public, you are committing an offence unless the requirement is authorised by law or justified in the public interest. Conviction can lead to an unlimited fine and up to two years’ imprisonment.

Any Person s.184 ICO

If you obtain, keep, share or sell personal data without the controller’s consent – or encourage someone else to do so – you commit a criminal offence. The offence applies whether you act knowingly or recklessly and covers selling data that was originally obtained in breach of the same rules. A conviction can lead to an unlimited fine and up to two years’ imprisonment.

Any Person s.170 ICO

Record keeping 2

You must keep detailed logs of any personal data you collect, change, view, share, combine or delete in automated systems. The logs need to show why and when the data was accessed or disclosed, and who did it, as far as possible. You must keep the logs for permitted purposes and give them to the ICO if asked.

Data Controller s.62 ICO

If your business decides how personal data is used (or processes data on behalf of another company), you must keep a detailed record of what you do, why you do it, who you share it with and other key information. Processors also need a similar record for the work they carry out for a controller. You must be ready to show these records to the ICO if they ask.

Data Controller s.61 ICO

Penalties for non-compliance

63 penalties under this legislation. 7 can result in imprisonment. 10 carry an unlimited fine.

Significant fine

Appoint and publish details of a data protection officer

Fine up to £17,500,000

Administrative/Civil penalty s.69 Penalises: Appoint and publish details of a data protection …

Significant fine

Nominate and support a person to prepare the assessment report

Fine up to £17,500,000

Administrative/Civil penalty s.146A Penalises: Nominate and support a person to prepare the …

Significant fine

Carry out data protection impact assessments for high‑risk processing

Fine up to £17,500,000

Administrative/Civil penalty s.64 Penalises: Carry out data protection impact assessments for high‑risk …

Significant fine

Agree and document joint controller responsibilities

Fine up to £17,500,000

Either way s.104 Penalises: Agree and document joint controller responsibilities

Significant fine

Agree responsibilities with other joint controllers and name a contact point

Fine up to £17,500,000

Summary only s.58 Penalises: Agree responsibilities with other joint controllers and name …

Significant fine

Assess impact and put in place data protection safeguards before processing

Fine up to £17,500,000

Administrative/Civil penalty s.103 Penalises: Assess impact and put in place data protection …

Significant fine

Assess UK restrictions and inform non‑UK recipients of law‑enforcement data transfers

Fine up to £17,500,000

Administrative/Civil penalty s.80 Penalises: Assess UK restrictions and inform non‑UK recipients of …

Significant fine

Avoid fully automated decisions using sensitive personal data

Fine up to £17,500,000

Administrative/Civil penalty s.50B Penalises: Avoid fully automated decisions using sensitive personal data

Significant fine

Consult ICO before high‑risk data processing

Fine up to £17,500,000

Summary only s.65 Penalises: Consult ICO before high‑risk data processing

Significant fine

Correct or complete personal data on request

Fine up to £17,500,000

Administrative/Civil penalty s.46 Penalises: Correct or complete personal data on request

Significant fine

Demonstrate compliance with data protection principles

Fine up to £17,500,000

Administrative/Civil penalty s.34 Penalises: Demonstrate compliance with data protection principles

Significant fine

Ensure lawful archiving, research and statistical processing for law enforcement

Fine up to £17,500,000

Administrative/Civil penalty s.41 Penalises: Ensure lawful archiving, research and statistical processing for …

Significant fine

Ensure lawful transfer of personal data for law‑enforcement purposes

Fine up to £17,500,000

Administrative/Civil penalty s.73 Penalises: Ensure lawful transfer of personal data for law‑enforcement …

Significant fine

Ensure overseas transfers of personal data comply with DPA limits

Fine up to £17,500,000

Administrative/Civil penalty s.109 Penalises: Ensure overseas transfers of personal data comply with …

Significant fine

Ensure personal data collected is limited to what is necessary

Fine up to £17,500,000

Summary only s.88 Penalises: Ensure personal data collected is limited to what …

Significant fine

Erase or restrict personal data when required

Fine up to £17,500,000

Administrative/Civil penalty s.47 Penalises: Erase or restrict personal data when required

Significant fine

Facilitate and respond to data‑subject complaints

Fine up to £17,500,000

Administrative/Civil penalty s.164A Penalises: Facilitate and respond to data‑subject complaints

Significant fine

Follow framework documents when processing personal data

Fine up to £17,500,000

Administrative/Civil penalty s.194 Penalises: Follow framework documents when processing personal data

Significant fine

Follow the ICO’s Direct Marketing Code when sending ads

Fine up to £17,500,000

Administrative/Civil penalty s.122 Penalises: Follow the ICO’s Direct Marketing Code when sending …

Significant fine

Give your DPO responsibility to advise, monitor and liaise on data protection

Fine up to £17,500,000

Administrative/Civil penalty s.71 Penalises: Give your DPO responsibility to advise, monitor and …

Significant fine

Handle manifestly unfounded or excessive data requests appropriately

Fine up to £17,500,000

Administrative/Civil penalty s.53 Penalises: Handle manifestly unfounded or excessive data requests appropriately

Significant fine

Implement and maintain data protection measures and policies

Fine up to £17,500,000

Administrative/Civil penalty s.56 Penalises: Implement and maintain data protection measures and policies

Significant fine

Implement appropriate security measures for personal data

Fine up to £17,500,000

Administrative/Civil penalty s.91 Penalises: Implement appropriate security measures for personal data

Significant fine

Implement appropriate security measures for personal data processing

Fine up to £17,500,000

Administrative/Civil penalty s.66 Penalises: Implement appropriate security measures for personal data processing

Significant fine

Implement appropriate security measures for personal data processing

Fine up to £17,500,000

Administrative/Civil penalty s.107 Penalises: Implement appropriate security measures for personal data processing

Significant fine

Implement data protection by design and default

Fine up to £17,500,000

Administrative/Civil penalty s.57 Penalises: Implement data protection by design and default

Significant fine

Implement measures to ensure and demonstrate GDPR compliance

Fine up to £17,500,000

Administrative/Civil penalty s.102 Penalises: Implement measures to ensure and demonstrate GDPR compliance

Significant fine

Inform data subjects and keep records when they request rectification, erasure or restriction

Fine up to £17,500,000

Administrative/Civil penalty s.48 Penalises: Inform data subjects and keep records when they …

Significant fine

Keep law‑enforcement personal data accurate and properly controlled

Fine up to £17,500,000

Administrative/Civil penalty s.38 Penalises: Keep law‑enforcement personal data accurate and properly controlled

Significant fine

Keep personal data accurate and up‑to‑date

Fine up to £17,500,000

Administrative/Civil penalty s.89 Penalises: Keep personal data accurate and up‑to‑date

Significant fine

Keep personal data only as long as needed

Fine up to £17,500,000

Administrative/Civil penalty s.90 Penalises: Keep personal data only as long as needed

Significant fine

Limit law‑enforcement data to what is needed

Fine up to £17,500,000

Administrative/Civil penalty s.37 Penalises: Limit law‑enforcement data to what is needed

Significant fine

Limit personal data use to its original purpose

Fine up to £17,500,000

Either way s.87 Penalises: Limit personal data use to its original purpose

Significant fine

Process law‑enforcement data only for specified lawful purposes

Fine up to £17,500,000

Administrative/Civil penalty s.36 Penalises: Process law‑enforcement data only for specified lawful purposes

Significant fine

Process personal data lawfully and fairly

Fine up to £17,500,000

Administrative/Civil penalty s.2 Penalises: Process personal data lawfully and fairly

Significant fine

Process personal data only on controller instructions or legal duty

Fine up to £17,500,000

Administrative/Civil penalty s.60 Penalises: Process personal data only on controller instructions or …

Significant fine

Process personal data only on controller instructions or legal duty

Fine up to £17,500,000

Administrative/Civil penalty s.106 Penalises: Process personal data only on controller instructions or …

Significant fine

Provide data subject information in clear, plain language and free of charge

Fine up to £17,500,000

Administrative/Civil penalty s.52 Penalises: Provide data subject information in clear, plain language …

Significant fine

Provide independent, resourced DPO and involve them in data protection matters

Fine up to £17,500,000

Administrative/Civil penalty s.70 Penalises: Provide independent, resourced DPO and involve them in …

Significant fine

Provide individuals with access to their personal data

Fine up to £17,500,000

Administrative/Civil penalty s.94 Penalises: Provide individuals with access to their personal data

Significant fine

Provide safeguards for automated decisions affecting individuals

Fine up to £17,500,000

Summary only s.50C Penalises: Provide safeguards for automated decisions affecting individuals

Significant fine

Provide written copies of personal data on request

Fine up to £17,500,000

Administrative/Civil penalty s.95 Penalises: Provide written copies of personal data on request

Significant fine

Put a GDPR‑compliant contract in place with any data processor

Fine up to £17,500,000

Administrative/Civil penalty s.59 Penalises: Put a GDPR‑compliant contract in place with any …

Significant fine

Secure personal data used for law‑enforcement purposes

Fine up to £17,500,000

Administrative/Civil penalty s.40 Penalises: Secure personal data used for law‑enforcement purposes

Significant fine

Select and monitor processors that meet data protection standards

Fine up to £17,500,000

Administrative/Civil penalty s.105 Penalises: Select and monitor processors that meet data protection …

Significant fine

Set and review retention periods for law‑enforcement data

Fine up to £17,500,000

Administrative/Civil penalty s.39 Penalises: Set and review retention periods for law‑enforcement data

Significant fine

Set conditions on any further overseas transfer of personal data

Fine up to £17,500,000

Administrative/Civil penalty s.78 Penalises: Set conditions on any further overseas transfer of …

Significant fine

Co‑operate with the ICO on request

Fine up to £17,500,000

Summary only s.63 Penalises: Co‑operate with the ICO on request

Significant fine

Provide reasons behind decisions affecting individuals on request

Fine up to £17,500,000

Administrative/Civil penalty s.98 Penalises: Provide reasons behind decisions affecting individuals on request

Significant fine

Include correction rights notice when giving data access for financial standing

Fine up to £17,500,000

Administrative/Civil penalty s.13 Penalises: Include correction rights notice when giving data access …

Significant fine

Maintain a policy for sensitive data processing

Fine up to £17,500,000

Administrative/Civil penalty s.42 Penalises: Maintain a policy for sensitive data processing

Significant fine

Maintain logs of personal data processing activities

Fine up to £17,500,000

Administrative/Civil penalty s.62 Penalises: Maintain logs of personal data processing activities

Significant fine

Maintain records of data processing activities

Fine up to £17,500,000

Administrative/Civil penalty s.61 Penalises: Maintain records of data processing activities

Prison risk