Under data protection legislation, fines of up to around £17.5 million or 4% of turnover (whichever is greater) may be imposed for:
failure to process personal data on a lawful basis, infringing the rights of data subjects;
failure by a data controller in relation to the engagement of processors; or
failure of a processor to process data only in accordance with the controller’s instructions;
A maximum of £8.7million (or 2% annual turnover) applies for other breaches including:
failure to maintain security of personal data
failure to report breaches (including to the data subject where required)
failure to maintain records of processing activities
failure to undertake a Data Protection Impact Assessment when required to do so
In addition to imposing fines, the ICO may audit offenders, issue reprimands and impose restrictions on the breaching party. Reputational damage could also be significant.
You should make sure you understand the consequences of failing to comply with your data protection obligations, and ensure you have procedures in place to detect, report and investigate any personal data breach.