ConceptGB

Information Commissioner's Office

UK data-protection regulator; fined Capita £14m and Advanced Computer Software £3.07m for absent PAM and AD tiering, establishing NCSC guidance as the GDPR baseline.

Last refreshed: 17 April 2026

Key Question

What exactly does the ICO expect companies to have in place to avoid a GDPR fine after a cyber attack?

Timeline for Information Commissioner's Office

#117 Apr

Mentioned in: 17-year-old Office RCE back on KEV

Cybersecurity: Threats and Defences

#117 Apr

Mentioned in: UK 24-hour reporting bill at Report

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What fines has the ICO issued for cybersecurity failures?: The ICO fined Capita £14 million in October 2025 and Advanced Computer Software £3.07 million in March 2025 for cybersecurity failures that enabled data breaches, citing absent PAM controls and inadequate Active Directory tiering as GDPR Article 32 violations.Source: ICO monetary penalty notices
Does the ICO use NCSC guidance to decide if a company was negligent?: Yes. The ICO's Capita and Advanced Computer Software monetary penalty notices explicitly treat NCSC cyber hygiene guidance, including PAM and AD tiering recommendations, as the Article 32 GDPR technical standard for what constitutes adequate security measures.Source: ICO

Background

The Information Commissioner's Office (ICO) fined Capita £14 million in October 2025 for its 2023 data breach and Advanced Computer Software £3.07 million in March 2025 for its 2022 breach. Both monetary penalty notices cited absent Privileged Access Management (PAM) controls and inadequate Active Directory tiering as GDPR Article 32 violations, treating NCSC cyber hygiene guidance as the enforceable technical standard.

The ICO is the UK's independent data-protection regulator, responsible for enforcing the UK GDPR and the Data Protection Act 2018. Its monetary penalty notices carry legal weight as precedent; the Capita and Advanced decisions together define the ICO's enforcement template for cybersecurity failures that enable breaches. The ICO has signalled that it will continue to use NCSC guidance as the reference technical standard for Article 32 compliance.

For UK organisations in ICO scope, the Capita-Advanced precedents have immediate practical implications: any organisation that lacks PAM controls and an AD tiering model for administrative accounts faces documented enforcement risk if a breach occurs that a reasonable security programme would have prevented. The pending Cyber Security and Resilience Bill will expand the ICO's co-regulatory role alongside Ofcom and DSIT for data-centre operators.

How the World Sees Them

Legal sector

The Capita and Advanced monetary penalty notices are precedent cases that data-protection solicitors are using to advise clients on minimum-security standard obligations under UK GDPR Article 32.

UK enterprise CISOs

NCSC PAM and AD tiering guidance is now the ICO's GDPR technical baseline; organisations without these controls face documented enforcement risk, not just security risk.

EU data-protection authorities

The ICO's NCSC-as-baseline approach is a UK post-Brexit divergence from EU practice but may influence EDPB guidance as a practical template.