DPIA Archives - Athlex Limited

The Top ICO Enforcement Trends SMEs Must Act On in 2025

5 minutes read

And How to Get Ahead

The UK’s data-protection landscape is evolving fast, and SMEs are now directly exposed to enforcement action once largely associated with public bodies or large multinationals. As the BDO enforcement trends analysis reviewing ICO enforcement trends 2025, highlights, the ICO is increasingly focused on fundamental compliance failures rather than technical edge cases, meaning SMEs face the same expectations as larger organisations.

To help UK SMEs stay ahead, this guide breaks down the three most prominent ICO enforcement themes in 2025 and explains how each relates directly to the core duties under UK GDPR.

ICO Enforcement Trend 1: DSAR Delays & Right-of-Access Failures

The ICO continues to treat DSAR delays as one of the most serious indicators of poor governance. This theme appears repeatedly in enforcement notices and aligns closely with the BDO analysis.

A recent example is the enforcement notice issued to South Wales Police, requiring the organisation to clear a backlog of more than 350 overdue SARs by mid-2026.

Although policing bodies sit in a unique context, the principle is identical for SMEs:
a delayed, incomplete, or mismanaged DSAR is a governance failure, not an administrative error.

Why SMEs are vulnerable

DSAR processes are often informal or undocumented
Staff rely on untracked shared inboxes that hamper compliance
Manual redaction takes longer than expected and slows response times
Identity verification checks are inconsistent or incomplete
No clear owner is assigned to coordinate DSAR responses

Consequently, SMEs often fail “by accident”, simply because processes were never clearly built.

What SMEs should do

Implement a formal DSAR register
Use standardised verification templates
Assign responsibility for triage and drafting
Create a redaction decision record
Test your DSAR workflow every six months

See how Athlex Data Protection can help you with your UK GDPR compliance.

To strengthen your position, Athlex Data Protection includes DSAR review as part of its Free UK GDPR Compliance Audit.

ICO Enforcement Trend 2: System Errors & Data-Accuracy Failures

While many SMEs assume breaches are caused by sophisticated threat actors, the ICO’s recent fines show that basic security failings, particularly around access control and system configuration, remain the driving force behind most incidents. This is why BDO identifies weak security controls as a recurring enforcement theme.

A clear example of this is the £3.07 million fine issued to Advanced Computer Software Group (“Advanced”), a major processor used across the UK health and education sectors.

What happened

A ransomware attack exploited several preventable vulnerabilities, including:

inadequate access controls,
outdated software components,
unpatched critical systems, and
insufficient segregation of sensitive data.

Because Advanced was acting as a data processor, the incident demonstrated that processors are not insulated from ICO enforcement. Importantly, the ICO highlighted that robust Article 32 security measures apply equally to processors and controllers — a point many SMEs overlook when relying on third-party suppliers.

Why this matters for SMEs

Many SMEs rely on external IT providers, SaaS dashboards, or outsourced infrastructure. Consequently, they often inherit a false sense of security. Yet, as the Advanced case shows:

unpatched systems,
misconfigured access rights, and
weak administrator controls can create breach pathways that affect both the processorand its clients.

Furthermore, the ICO’s commentary stresses that technical misconfiguration is increasingly treated as a governance failure, not an unavoidable risk. In other words, SMEs are expected to demonstrate continuous security management – not reactive fixes after an incident.

What SMEs should do now

To reduce exposure to similar enforcement action:

Conduct regular patch-management reviews and document them.
Enforce multi-factor authentication onevery administrative and remote-access account.
Validate that third-party systems use secure configuration baselines.
Request evidence: recent pen-test summaries, MFA logs, and architecture diagrams showing data segregation.

ICO Enforcement Trend 3: Supply-Chain & Vendor Risk Is Now the Biggest Exposure

BDO notes that third-party suppliers are involved in a significant proportion of enforcement cases. This is evident across recent ICO actions.

A major example is the £14 million fine issued to Capita following a cyber incident that exposed the data of over 6 million people.

The ICO criticised:

slow isolation of the breach,
insufficient monitoring,
weak patching practices, and
inadequate oversight of third-party systems.

Similarly, the Upper Tribunal’s Clearview ruling confirmed that even overseas vendors fall under UK GDPR if they monitor UK residents.

Why SMEs must pay attention

SMEs are more dependent than ever on external providers – IT contractors, payroll services, marketing platforms, CRMs, SaaS tools, cloud storage, etc. Consequently, the regulator expects SMEs to:

verify supplier security
assess processors before onboarding
maintain a vendor register
require evidence of compliance
include audit rights and termination clauses

In other words, your compliance is only as strong as your weakest vendor.

What SMEs should do

Inventory all suppliers with data access
Request evidence: certifications, test summaries, logs
Ensure processor contracts meet Article 28 requirements
Assess vendors annually (high-risk: quarterly)

The Athlex Data Protection free audit highlights exactly where your vendor chain poses compliance risk.

ICO Enforcement Trend 4: Governance, Documentation & Accountability Are Under the Microscope

BDO’s report highlights that the ICO is increasingly examining how decisions are made, not just whether breaches occur. Good governance – leadership awareness, documented decisions, risk logs, and internal reporting structures — is now a major enforcement factor.

This aligns with the ICO’s call for views on new enforcement-procedural guidance, signalling more transparent and structured regulatory processes.

This means SMEs are expected to show:

clear data-protection ownership
leadership engagement
meaningful internal reporting
documented risk assessments and decisions
evidence of proactive compliance

How SMEs Can Stay Ahead – Starting Today

To prepare for these enforcement trends, SMEs should immediately focus on:
✔ DSAR workflows
✔ Data-accuracy controls
✔ Vendor oversight
✔ Incident readiness
✔ Governance documentation

And the simplest way to begin?

Use Athlex Data Protection’s Free UK GDPR Compliance Audit tool.

To read more about the biggest UK GDPR risks for SMEs, see our blog: Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs.

It covers DSARs, access controls, vendor risk, system accuracy, governance, and incident readiness – all mapped into a clear action plan.

Age verification and UK GDPR in 2025: a plain-English SME guide

4 minutes read

If your product or community has age-limited features, you’ve probably looked at third-party age-verification (AV) tools. They can help with fast onboarding and higher assurance. They do not remove your responsibilities as a controller. A recent breach at a third-party provider handling age-check appeals is a reminder to tighten the basics.[i]

Below is a practical checklist you can apply this week.

1) Refresh your DPIA

Treat AV as a distinct processing activity. Update your Data Protection Impact Assessment (DPIA) with:

(a) categories of data the vendor collects, such as ID images and metadata,

(b) special-category or child considerations,

(d) mitigations such as encryption, redaction, and retention controls. If you still identify high risks you cannot reduce, you must consult the ICO before you go live.[ii]

2) Get serious about processor due diligence

At a minimum, send potential vendors a security questionnaire covering access controls, key management, encryption at rest and in transit, and relevant certifications. Request a full list of sub-processors and evidence of breach management. Your contracts should mandate prompt breach notification, co-operation with investigations, approval of any sub-processor, transparency about data locations and robust audit rights. Many age-verification providers use third-party image-processing pipelines, so insist on visibility and the right to object to high-risk practices.

3) Data minimisation and retention

Only collect what you need to achieve the purpose. Prefer a pass or fail token and a coarse age band over storing full ID images. Where images are necessary, for example during appeals, set short retention periods and automatic deletion. Avoid internal copies of vendor-held data. Ask for privacy-preserving artefacts such as non-reversible tokens or signed assertions to prove checks occurred.

4) Build a clean incident playbook

Your playbook should name decision-makers in legal, PR, engineering, and security. Include steps to cut off the vendor, rotate keys, revoke scopes, switch to a fallback path, and notify affected users where required. Prepare clear comms templates and support routes. Rehearse the cut-over at least once a year.

5) Children and higher-risk contexts

If your service is likely to be accessed by children, align with the ICO’s Children’s Code. That means high privacy by default, clear and age-appropriate information, and DPIAs that reflect child-specific risks. In AV flows, design for dignity and accessibility. Offer alternatives for people who do not have passports or driving licences. Start with the ICO’s code and standards.[iii]

6) Understand DUAA timing and what changes

The Data (Use and Access) Act 2025 is being switched on in stages. Expect the main data-protection changes about six months after Royal Assent. The new duty to provide a data-protection complaints route is expected about twelve months after Royal Assent. Keep a simple internal timeline, assign owners, and log milestones such as policy updates, training, and website notices. See the government’s commencement plan[iv] and the ICO’s explainer.[v]

7) Recognised Legitimate Interests (RLI): plan, do not assume

RLI is a new lawful basis that will apply to specific public-interest purposes once commenced. Most commercial AV uses will still rely on consent, contract, or legitimate interests with a proper balancing test. Track the ICO’s draft guidance and plan a gap-analysis workshop when the final text lands.[vi]

8) Communicate clearly

Update your privacy notice with a dedicated AV section covering purpose, data types, vendor names, locations, retention, and user choices. Provide a one-screen summary in the AV flow with a link to full details. Make it obvious how people can raise a data-protection complaint with you now and how you will meet the new statutory process once it is in force.[vii]

9) Test your fallback

If the vendor goes down or trust is lost, what then? Offer a temporary pathway, for example age-band self-declaration with heightened moderation, or a pause with email support, while you switch vendors. Document the lawful basis for your fallback and the short-term risk trade-offs you accept.