1. Information Commissioner's Office (ICO). Guide to the UK General Data Protection Regulation (UK GDPR), Part 6: Enforcement, Penalties. The guide explicitly states: "The UK GDPR applies two tiers of administrative fines... The higher maximum is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher." It confirms that infringements of the basic principles for processing fall under this higher maximum. (Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/penalties/)
2. UK General Data Protection Regulation (UK GDPR). Article 83, Paragraph 5. This article lists the infringements subject to the highest level of administrative fines, including violations of "the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9". The failure to maintain security is a violation of the principle of 'integrity and confidentiality' outlined in Article 5(1)(f).
3. Data Protection Act 2018. Part 6, Section 157 (Maximum amount of penalty). This section of the UK's primary data protection legislation confirms that the maximum penalties are those set out in Article 83 of the UK GDPR. Post-Brexit regulations amended the Euro figures to the current Sterling amounts (£17.5m and £8.7m).
