What the ICO’s Latest Fine Tells Us About Processor Risk
In April 2025, the Information Commissioner’s Office (ICO) fined Advanced Computer Software Group Ltd £3.1 million for failing to secure personal data during a ransomware attack. The company was acting as a processor for NHS trusts and local authorities.
This is the first time the ICO has publicly fined a processor under the UK GDPR. That matters, because it shows the regulator is changing how it applies accountability.
What Actually Happened
Advanced hosted sensitive health and social care data. Attackers exploited a vulnerability through a customer account that didn’t use multi-factor authentication. The breach affected nearly 80,000 people and disrupted critical services, including emergency helplines.
The ICO concluded that Advanced had failed to implement appropriate technical and organisational measures. There were gaps in patching, MFA, and internal controls — all of which breached Article 32 of the UK GDPR.
Read the ICO’s enforcement notice.
Why Controllers Should Take Note
This wasn’t just a processor mistake. It was a legal failure — and it highlights why controllers need to treat processor risk as a live issue. Under Article 28, you’re required to choose processors who offer “sufficient guarantees” of GDPR compliance. That means documented due diligence, enforceable instructions, and ongoing oversight — not just a signed DPA in a file.
This Isn’t a One-Off
The Advanced fine is the first of its kind in the UK, but it fits into a wider trend. Across Europe, processors are now being fined directly — not just the controllers they serve.
For example, an Italian processor was fined €50,000 in 2019. In Poland, a 2022 case saw both the controller and the processor fined. And in 2024, the ICO issued a provisional fine of £6.09 million to Advanced — later finalised at £3.07 million.
What You Should Be Doing
Start by reviewing your active processors. Who has access to personal data, and under what terms? Have you seen proof of their security measures? When did you last assess their risk profile or conduct an audit?
Then look at your contracts. Do they allow for proper oversight, enforce your instructions, and include audit rights? And crucially, are you exercising that oversight, or just assuming it’s all fine?
This fine shows that regulators now see accountability as a shared responsibility. Controllers and processors are both expected to act like grown-ups. Hope is not compliance.
Need help reviewing your third-party risk? See how iCompli can help.