The Personal Data Protection Journal has published an article by Duc Tran and Kamilia Khairul Anuar, which addresses the proposed fine of £6.09m issued by the Information Commissioner's Office (the "ICO") against Advanced Computer Software Group Ltd for its failure to implement adequate security measures, which left the company vulnerable to a ransomware attack affecting 82,946 people in August 2022.
This decision represents the first ever fine proposed to be levied under the UK GDPR against a processor, potentially marking a shift in data protection enforcement activity in the UK which has previously focussed exclusively on controllers. The decision follows a number of recent fines issued by EU data protection authorities against processors for security-related breaches of the data protection legislation.
The article considers the direct regulatory obligations imposed on processors by the data protection legislation and the key takeaways arising out of the ICO's enforcement action against Advanced.
Kamilia Khairul Anuar
Trainee Solicitor , London
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.