ICO Fine Signals Urgency for GDPR in Clinical Trials

In March 2025, the UK Information Commissioner’s Office (ICO) announced a £3.07 million fine against Advanced Computer Software Group Ltd, a supplier to the NHS, following a ransomware attack in 2022 that compromised the personal data of over 79,000 individuals. This decision has made waves across the healthcare sector – not just because of the size of the fine, but because of who it targeted: a data processor.

This is the first time the ICO has fined a processor under the UK GDPR. For those of us working in clinical research, this signals a significant shift in regulatory enforcement. It sends a clear and unambiguous message: data processors are not just supporting characters in the data protection landscape. They are frontline actors, and they are now firmly in the regulator’s line of sight.

What Happened?

The breach occurred when attackers gained access to systems managed by Advanced’s health and care subsidiary through a customer account that lacked multi-factor authentication (MFA). The attack led to widespread disruption of NHS services, including NHS 111, and left healthcare staff unable to access patient records. Most shockingly, the stolen data included instructions on how to gain entry to the homes of nearly 900 people receiving care. These are not abstract risks; this was a real-world failure with potentially life-threatening consequences.

The ICO found that Advanced failed to put in place the basic technical and organisational measures required to protect personal data. Among the most concerning were the lack of comprehensive vulnerability scanning, poor patch management practices, and inadequate MFA deployment. While Advanced did engage proactively with authorities after the attack, including the NHS and the National Cyber Security Centre, and while that cooperation helped reduce the fine from an initial £6.09 million, the damage had already been done.

Why This Matters for Clinical Research

In the world of clinical trials, data processors play a central role. Think of CROs managing patient databases, EDC platforms collecting patient-reported outcomes, laboratories analyzing biospecimens, and data analytics companies crunching trial data. These entities handle highly sensitive health data every day. And more often than not, they are the ones storing, accessing, and securing the largest volumes of personal data in a given trial.

Traditionally, sponsors have carried the primary burden of GDPR compliance, often under the assumption that liability flows from their status as data controllers. But this fine flips that script. It tells us that processors are not only responsible in theory - they are accountable in practice. The ICO has shown that it will enforce GDPR obligations against processors directly, particularly when the personal data involved relates to health.

Would This Be Different with a Private Controller?

It is worth considering how this case might have played out if the data controller had been a private entity rather than a public body like the NHS. While both public and private controllers have the same legal obligations under the GDPR, enforcement dynamics can differ. Regulators may, in practice, be more cautious when imposing large fines on public bodies due to public interest concerns, budgetary implications, and the risk of undermining essential services.

In contrast, when the controller is a private company, the ICO may be more willing to share enforcement action between both controller and processor, depending on each party's responsibility for the failure. That said, the crux of this case was that the processor—Advanced—failed in its own obligations. The fact that the ICO chose to fine the processor, regardless of the controller’s public status, marks a pivotal moment in GDPR enforcement. It signals that regulators are prepared to hold processors accountable based on their own failings, even when the controller is a major public institution.

Had the controller been a private sponsor, it’s possible we might have seen both parties subject to enforcement, especially if due diligence, oversight, or contractual obligations were found to be lacking on the controller’s side. This distinction matters greatly for clinical trial sponsors operating in the private sector, where responsibility is closely scrutinized and shared liabilities are more often enforced.

Shared Responsibility and Accountability

This case has serious implications for the way clinical trials are run. To mitigate the risks, sponsors can no longer rely on standard contract templates and high-level vendor assurances. They must conduct meaningful due diligence before onboarding vendors, ask hard questions about security protocols, and ensure data protection obligations are not just listed in contracts but actually implemented. In turn, service providers must be ready to demonstrate compliance at every level—from access controls and encryption policies to breach response plans and audit trails.

What we’re seeing here is a clear move toward shared accountability. Data protection is no longer just the sponsor’s headache. It’s a joint responsibility, and it requires active collaboration.

Takeaways for Sponsors and Vendors

For sponsors, the takeaway is simple: your vendors’ compliance posture is part of your own risk profile. What this settlement makes especially clear is that doing the work—and being able to demonstrate it—can actually shift regulatory responsibility away from the controller and toward the processor. Ignoring red flags or cutting corners in vendor oversight is no longer just a bad business decision—it could be the difference between liability and protection.

And for processors, the message is equally clear: you are no longer behind the curtain. You are visible, accountable, and subject to direct enforcement. GDPR is not just a theoretical framework to be acknowledged in a policy document. It is a set of binding obligations that apply to your systems, your practices, and your staff.

Conclusion

The ICO’s action against Advanced should not be seen in isolation. It’s part of a broader trend of regulators taking a more active stance in enforcing GDPR across complex, data-intensive sectors like healthcare. The stakes are high, and the cost of non-compliance is growing.

If there was ever a time for sponsors and vendors in clinical trials to treat GDPR compliance as a core operational priority, it’s now.

RD Privacy is here to help—reach out to ensure your compliance strategy is audit-ready and future-proof.

Warm regards,

Diana