The UK’s Information Commissioner’s Office (ICO) has a longstanding record as an active but pragmatic regulator. The ICO’s regulatory action policy(1) stresses that it will adopt a risk-based approach to enforcement. While it will not hesitate to issue financial penalties when it considers it appropriate, it will use the full range of its enforcement powers including publicising reprimands. This means that fines tend to be reserved for the most egregious breaches and to date, they have all been imposed on controllers.

This looks set to change following the ICO’s announcement on 7 August 2024, of its provisional decision(2) (not published in full) to fine Advanced Computer Software Group Ltd (Advanced) £6.09m for failure to protect the personal data (including some sensitive data) of nearly 83,000 people. The ICO will now consider representations from Advanced before making its final decision, which may include a change to the amount of any fine. Whether or not the fine is ultimately imposed, this announcement marked the first time the ICO has proposed fining a processor rather than a controller.