Data protection guidance for Electoral Registration Officers and Returning Officers

Sanctions and penalties for data breaches

Under data protection legislation, fines of up to around £17.5 million or 4% of turnover (whichever is greater) may be imposed for:

  • failure to process personal data on a lawful basis, infringing the rights of data subjects;
  • failure by a data controller in relation to the engagement of processors; or
  • failure of a processor to process data only in accordance with the controller’s instructions;

A maximum of £8.7million (or 2% annual turnover) applies for other breaches including:

  • failure to maintain security of personal data
  • failure to report breaches (including to the data subject where required)
  • failure to maintain records of processing activities
  • failure to undertake a Data Protection Impact Assessment when required to do so

In addition to imposing fines, the ICO may audit offenders, issue reprimands and impose restrictions on the breaching party. Reputational damage could also be significant.

You should make sure you understand the consequences of failing to comply with your data protection obligations, and ensure you have procedures in place to detect, report and investigate any personal data breach.

Last updated: 22 February 2023