The recent cyberattacks on major UK retailers have put cybersecurity back in the spotlight. But a more significant development for data protection practitioners has been flying under the radar: the Information Commissioner’s Office (ICO) has issued a notable fine directly against a data processor for breaching UK GDPR security obligations – an important shift in enforcement focus.
In March 2025, the ICO concluded its enforcement action against Advanced Computer Software Group Limited (Advanced), a data processor that provides software to healthcare providers, including the NHS. This followed a cyberattack in August 2022, during which the personal data of nearly 80,000 individuals was compromised. This included highly sensitive “home access information” for vulnerable people receiving care services.
While the provisional fine of £6.09 million was reduced to £3.07 million due to Advanced’s cooperation and remedial actions, the message from the regulator is clear. Advanced reported that its broader response and remediation costs exceeded £21 million, underscoring the immense financial and reputational impact of such breaches.
Why the fine?
The ICO found that Advanced had failed to implement basic cybersecurity hygiene. Most critically, it did not have multi-factor authentication (MFA) in place on a key public-facing system – an omission that allowed attackers to gain initial access. Additional failings included insufficient vulnerability scanning and patch management.
This enforcement is significant. While the ICO has historically focused fines on data controllers, this case marks a noteworthy move to hold processors directly accountable. It signals that the ICO expects processors to maintain strong security independently of any controller instructions.
What this means for you
For processors, this case reinforces a crucial point: robust cybersecurity isn't just a contractual obligation – it’s a regulatory requirement. You can be held directly accountable by the ICO for failure to implement appropriate technical and organisational measures.
For controllers, while this enforcement action might offer some reassurance, your due diligence obligations remain front and centre. Choosing and monitoring processors that meet UK GDPR standards is still your legal responsibility.
Importantly, the ICO now expects MFA to be implemented wherever feasible. If you haven’t fully adopted it across your systems, particularly for remote access, now is the time to act.
Further information
If you have any questions regarding this blog, please contact Christopher Perrin in our Corporate, Commercial & Finance team.
About the author
Christopher Perrin is a highly experienced solicitor who leads the Corporate, Commercial and Finance team’s general Commercial & Technology Contracts, Outsourcing & Data legal advisory services.
Join the conversation
