In a legal analysis of the provisional decision by the Information Commissioner's Office (ICO) to issue a £6.09 million monetary penalty to Advanced Computer Software Group (Advanced) after an NHS ransomware attack in August 2022 led to the disruption of a number of critical services, Malcolm Dowden, a law expert at Pinsent Masons said the case highlights how the UK General Data Protection Regulation (GDPR) applies directly to processors.
In particular, Dowden explains that the move potentially signifies the ICO's increased willingness to enforce non-compliance by processors in cases involving public sector bodies. He writes: "While responsibility under UK GDPR falls primarily on data controllers, the GDPR introduced a number of obligations that directly apply to data processors. They include the obligation under Article 32 to 'implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk'." Dowden also noted that the context of the case, which involved NHS bodies and critical services, may have influenced the ICO's decision to fine Advanced.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
