In 2024 we reported that the ICO provisionally decided to issue a £6 million fine to Advanced, an IT software company providing services to the NHS, after it experienced a ransomware attack in August 2022. On 25 March 2025, the ICO confirmed that a subsidiary of Advanced Computer Software Group Ltd (“Advanced”) broke data protection law by failing to implement appropriate security measures such as full multi-factor authentication coverage. Advanced settled the matter for £3.09m for security failings that put the personal data of 79,404 people at risk.
These sorts of headlines can be intimidating but the reality is that cyber attacks are becoming more widespread and hackers’ techniques are becoming increasingly sophisticated. The purpose of this insight is to explain the background to the fine and how Tozers can help with your data protection compliance to avoid security breaches.
What is the ICO and what does it do?
The ICO is the UK’s largest independent body that has been set up to uphold information rights. It has various enforcement powers, for example:
- Issuing notices that require you to provide certain information.
- Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.
- Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
Why do businesses get punished if their systems get attacked?
Data processors must ensure that personal data “is processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing… using appropriate technical or organisational measures” (Article 5(1)(f) UK GDPR). This is known as the “security principle”. A data subject has a right to privacy and if they decide to share their data with your business, the onus is on you to keep it safe.
Organisations are expected to implement robust security measures to prevent unauthorised access, loss, or damage to personal data. If an organisation fails to take adequate measures and a security breach occurs it can lead to significant harm to individuals, including identity theft and financial loss.
Can you challenge a monetary penalty by the ICO?
Yes. If the ICO intends to issue a monetary penalty it will send a notice of intent which you can challenge by sending written representations within a strict timeframe. Time is of the essence when you receive a notice of intent so you must seek legal advice without delay.
In 2023 we acted on behalf of a client who was issued with a notice of intent for over £180,000 as a result of a data breach. We sent written representations that were successful, resulting in the investigation being dropped and the fine waived in its entirety.
What are the key takeaways from this fine?
- The ICO has the power to implement huge fines. The severity of the breach, the number of individuals affected, and the organisation’s level of cooperation are some key factors in determining the fine.
- The ICO investigation can take many years to come to a conclusion. Not only is there a financial risk with data breaches but ensuring data protection compliance will prevent you from using precious management and other personnel time in dealing with a cyber attack and a subsequent investigation by the ICO.
- ICO investigations and fines are published online and often attract media attention which can have long-lasting effects on customer loyalty, brand value, and the ability to attract investment.
- Multi-factor authentication is key.
- You should be regularly checking for vulnerabilities in your systems and keeping systems up to date with the latest security patches.
How can I avoid a cyber attack?
Protecting personal data involves careful consideration of risk analysis, organisational policies, and physical and technical measures. Software, a form of technical measure, is just one ingredient in the mix.
Everyone in an organisation responsible for using personal data (which includes storing it) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.
Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:
- Providing advice and guidance.
- Discussing data protection impact assessments.
- Providing advice about technical and organisational measures to mitigate or manage the risks you identify with new systems.
- Drafting bespoke data protection policies and compliance documents.
- Providing training to staff.
As a top firm for client satisfaction, we have built a reputation as good listeners who can help break down complex legal jargon into words you can understand and are experts at advising on your organisation’s situation.
If you require advice, speak to one of our legal experts today in a no-obligation phone call.
