Controllers no longer always ‘carry the can’: more than 6 years after the introduction of the General Data Protection Regulation (GDPR), the UK’s Data Protection Authority has issued its first notice of intention to fine a processor, rather than the controller organisation on whose behalf it was processing the data.
One of the many distinguishing features of the GDPR over the previous law, the Data Protection Act 1998, is the joint responsibility for maintaining data protection of data controllers (those which determine the means and purposes of the processing of the personal data) and data processors (organisations such as managed service providers processing personal data on behalf of a data controller, usually their customer, under the direct instruction of that controller/client). Previously, it was the data controller organisations which were held responsible for any data breaches, including civil liability for damages awarded to individuals and for any fines imposed, whilst data processors were not in the frame to take any such hit. But now, under the GDPR, processors can be held equally, if not more, liable than controllers, depending on the parties’ respective negligence or culpability for the loss or damage caused.
It has taken more than 6 years of the GDPR being in effect, but in August 2024 the Information Commissioner’s Office (ICO) issued its first provisional fine against a data processor, rather than the controller that provided the personal data and the instructions for the processing. In its initial announcement of the proposed fine (i.e., yet to be finalised), the UK privacy regulator has signalled that it intends to impose a penalty of £6.09 million on a software supplier, Advanced Computer Software Group Ltd (‘Advanced’). As readers of URM’s blogs on this subject will appreciate, £6m is in ICO terms quite a hefty fine; to learn more about the ICO’s approach to enforcement and monetary penalties, read our blog where URM Analyses ICO’s Enforcement Actions Since the GDPR was Introduced in 2018.
Background
Advanced processes personal data, including sensitive or ‘special category’ data, on behalf of a range of organisations across the UK including the NHS and other major care providers. The proposed penalty is in respect of Advanced’s failure to implement appropriate security measures to protect the data in its care, and dates back to a ransomware attack it suffered in 2022 in which a malicious actor accessed its systems through a customer account that was not protected by multi-factor authentication (MFA). This attack resulted in the exfiltration of the personal data of 82,946 individuals, including phone numbers, medical records and details of how to gain access to the homes of 890 patients receiving at-home care. The data breach also caused major disruption to Advanced’s controllers and their ability to deliver patient care, most notably crashing the NHS’s 111 advice service. This, in the words of the Information Commissioner publishing his provisional action, caused significant distress to “people who had no choice but to put their trust in health and care organisations”.
The absence of MFA, particularly in the context of high-volume processing of high-risk data, is notable since it is recommended by common data security standards such as the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme and NIST 800-63B, as well as being considered by the ICO as a comparatively low-cost protective countermeasure, with many MFA solutions commercially available. Furthermore, in May of this year, the ICO released a report on trends and developments in cyberattacks, including malware and ransomware, in which the authority underlined the requirement for MFA and suitable controls to mitigate threat actors’ attempts to circumvent it – e.g., hackers gaining access by posing as genuine users resetting their passwords.
As the ICO’s first potential fine against a processor in the UK GDPR context, it is confirmation that the security compromise of a major processor that acts for multiple controllers can have far-reaching repercussions, in the public and private sectors. This has been more recently seen in the incident in June involving the pathology lab Synnovis (resulting in disruption to NHS blood testing and services). The proposed Cyber Security and Resilience Bill announced in the King’s Speech opening Parliament in July aims at curbing such supply chain cyber vulnerability in certain critical sectors.
GDPR Requirements and Repercussions for Data Processors
Organisations acting as processors are subject to security obligations under the UK GDPR, and the Advanced provisional fine serves as a timely reminder of the potential for direct regulatory enforcement if they fail to prioritise robust security measures. This is of particular importance where a threat actor’s unauthorised access and exfiltration could leave data subjects at serious risk, which continues to be a central driver for ICO enforcement action, particularly monetary penalties as in this case.
Under Article 82 of the UK GDPR, data subjects have a direct right of action against processors and controllers on a ‘joint and several liability’ basis. This means that data controllers can ultimately be held financially responsible for the whole failures of their processors, even if the controllers are only partly at fault. The fact that the ICO is proposing to take enforcement action only against Advanced as the data processor suggests that there was no real direct fault on the part of the NHS as data controller. Even so, the NHS might be seen by data subjects as a ‘softer target’ for any potential court actions for damages they might bring, particularly from a financial viability perspective (with almost certainly deeper pockets than Advanced). Controllers such as the NHS might then look to recover any losses from the processor under the liability and indemnity provisions contained in their processing contract or ‘data processing agreement’ (DPA) with Advanced.
In this regard, many outsourced data service providers will usually include in their standard DPA terms and conditions a liability cap limited to the amount of fees paid by the customer/controller over a certain period of time (perhaps 12 months). The costs associated with a data breach (including response costs, regulatory action such as fines and resulting claims) can, however, significantly exceed these fee-based caps. This is why an increasing number of customers are seeking to negotiate an increased 'super cap', specifically for the type of substantial costs and damages that can result from data breaches.
Lessons Learned
Although data controllers have ultimate control over how and why personal data is processed, data processors also have legal data protection obligations. The Advanced case serves as a stark reminder for service providers (particularly in the healthcare sector) of those data protection responsibilities. Equally, it acts a warning to data controllers, such as healthcare providers, to carry out adequate due diligence on software providers acting as data processors on their behalf. It remains to be seen whether the DPA between the NHS and Advanced stipulated that MFA should be enabled on customer accounts, and this was not applied for some reason, or whether this basic security provision was simply omitted from the contract. This is the kind of detail that will come out in the court claims which will inevitably ensue.
On several occasions in the past, provisional fines issued by the ICO have been reduced (sometimes by a substantial amount, as in the British Airways and Doorstep Dispensaree cases, both from 2019) before confirmation, and recently a proposed enforcement action (in the Snap matter) was withdrawn completely. The Information Commissioner has stated that he “will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.”
In the meantime, the message has also been put out from the Commissioner that all organisations, especially those handling sensitive health data, are expected "to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches."
How URM can Help?
GDPR Consultancy
Almost all organisations are required to maintain GDPR compliance in order to avoid a data breach and subsequent enforcement action from the ICO, but understanding how to comply can be difficult when exclusively relying on the guidance provided by the legislation. Drawing upon nearly 2 decades of experience assisting organisations to comply with data protection legislation (such as the GDPR and Data Protection Act), URM can provide effective and comprehensive GDPR consultancy to support you through your compliance journey.
Our team of experienced GDPR consultants can offer a range of services to help align your organisation’s data processing activities with the Regulation’s requirements. Our GDPR consultancy services include conducting a gap analysis to help you understand your current level of compliance and the areas where you are not currently meeting GDPR requirements, a virtual data protection officer (DPO) service which provides you with access to a team of data protection practitioners, and assisting with DPIAs, to name a few. If you need help completing data subject access requests (DSARs) in compliance with the Regulation, we also offer a GDPR DSAR redaction service.
Data Protection Training
As well as providing compliance support in the form of consultancy, URM can also offer a range of data protection-related training courses, all of which are led by a practising GDPR consultant. We regularly run half-day courses on Conducting Data Protection Impact Assessments (DPIAs), and on Conducting Data Transfer Impact Assessments (DTIAs) in full compliance with the Regulation. Meanwhile, if you would like to gain an industry-recognised data protection qualification, we regularly deliver the BCS Foundation Certificate in Data Protection (CDP) course. To enhance your understanding of how to fulfil a DSAR, establish the validity of a DSAR request, and verify the data subject’s identity, we also regularly run a ‘How to Manage DSARs’ course which will provide you with invaluable insights and guidance.
Penetration Testing and Information Security Support
As demonstrated by the Advanced case, in which a serious data breach was caused by a failure to implement appropriate information security measures (i.e., MFA), taking steps to ensure you are adequately protecting your organisation's sensitive information is vitally important in order to avoid a data breach and subsequent enforcement action from the regulator. With our extensive experience providing information security consultancy and penetration testing, URM can help evaluate and enhance the effectiveness of any measures you have implemented to maintain the security of your organisation’s information, including the personally identifiable information (PII) it processes. For example, we can help you to conform to or certify to a range of information security standards, such as ISO 27001. This will allow you to both enhance your organisation’s information security posture and to demonstrate this strengthened information security approach to prospective clients, providing you with a competitive edge in the market. Meanwhile, our penetration testing services will help you to assess the effectiveness of your cyber security measures and to proactively identify and remediate any vulnerabilities before any malicious actors can take advantage of them.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.
One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information.
This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.