These are not theoretical risks. These are real enforcement outcomes.
£8.7 MILLION
Under Article 83(4) UK GDPR, failure to carry out a mandatory DPIA carries a maximum fine of £8.7m or 2% of global annual turnover.
The Advanced Computer Software Group was fined £3.07m in 2022 after a ransomware attack exposed home care clients' personal data — including home access codes.
NO UPPER LIMIT
From 19 June 2026, failure to have a data protection complaints procedure is a breach of Section 164A of the Data Protection Act 2018.
The ICO has confirmed no exemptions and has indicated it will enforce. There is no statutory maximum fine for this breach — it is subject to the full range of ICO enforcement powers.
£6,540
In September 2025, Jason Blake, director of Bridlington Lodge Care Home, became the first care home director convicted under Section 173 DPA 2018 for obstructing a Subject Access Request.
He was fined £1,100 with £5,440 costs. Directors are personally liable — not just the company.
REQUIRES IMPROVEMENT
CQC's Single Assessment Framework assesses data governance under the Well-Led quality statement.
Inspectors specifically look for: evidence of a DPIA, documented data protection procedures, staff training records, and incident response plans.
Missing a mandatory DUAA complaints procedure after June 19th is a direct Well-Led failure that inspectors will identify and record.
June 2025
DUAA became law
February 2026
Main data protection provisions in force
19 June 2026
DUAA complaints procedure mandatory
NO EXEMPTIONS
Post June 19
ICO can investigate any complaint — no procedure = immediate breach
Next CQC Inspection
Missing DUAA procedure = Well-Led failure recorded
We can have your DUAA complaints procedure ready in 5 working days. Don't wait until June.