Athlex
Contact
Athlex

Tag: Incident response

The Top ICO Enforcement Trends SMEs Must Act On in 2025

5 minutes read
And How to Get Ahead
Flat illustration showing a gavel, security shield, key icon and connected vendor nodes around a central business, in Athlex brand colours, representing ICO enforcement trends and GDPR risk for SMEs

The UK’s data-protection landscape is evolving fast, and SMEs are now directly exposed to enforcement action once largely associated with public bodies or large multinationals. As the BDO enforcement trends analysis reviewing ICO enforcement trends 2025,  highlights, the ICO is increasingly focused on fundamental compliance failures rather than technical edge cases, meaning SMEs face the same expectations as larger organisations.

To help UK SMEs stay ahead, this guide breaks down the three most prominent ICO enforcement themes in 2025 and explains how each relates directly to the core duties under UK GDPR.

ICO Enforcement Trend 1: DSAR Delays & Right-of-Access Failures

The ICO continues to treat DSAR delays as one of the most serious indicators of poor governance. This theme appears repeatedly in enforcement notices and aligns closely with the BDO analysis.

A recent example is the enforcement notice issued to South Wales Police, requiring the organisation to clear a backlog of more than 350 overdue SARs by mid-2026.

Although policing bodies sit in a unique context, the principle is identical for SMEs:
a delayed, incomplete, or mismanaged DSAR is a governance failure, not an administrative error.

Why SMEs are vulnerable

  • DSAR processes are often informal or undocumented
  • Staff rely on untracked shared inboxes that hamper compliance
  • Manual redaction takes longer than expected and slows response times
  • Identity verification checks are inconsistent or incomplete
  • No clear owner is assigned to coordinate DSAR responses

Consequently, SMEs often fail “by accident”, simply because processes were never clearly built.

What SMEs should do

  • Implement a formal DSAR register
  • Use standardised verification templates
  • Assign responsibility for triage and drafting
  • Create a redaction decision record
  • Test your DSAR workflow every six months

See how Athlex Data Protection can help you with your UK GDPR compliance.

To strengthen your position, Athlex Data Protection includes DSAR review as part of its Free UK GDPR Compliance Audit.

ICO Enforcement Trend 2: System Errors & Data-Accuracy Failures

While many SMEs assume breaches are caused by sophisticated threat actors, the ICO’s recent fines show that basic security failings, particularly around access control and system configuration, remain the driving force behind most incidents. This is why BDO identifies weak security controls as a recurring enforcement theme.

A clear example of this is the £3.07 million fine issued to Advanced Computer Software Group (“Advanced”), a major processor used across the UK health and education sectors.

What happened

A ransomware attack exploited several preventable vulnerabilities, including:

  • inadequate access controls,
  • outdated software components,
  • unpatched critical systems, and
  • insufficient segregation of sensitive data.

Because Advanced was acting as a data processor, the incident demonstrated that processors are not insulated from ICO enforcement. Importantly, the ICO highlighted that robust Article 32 security measures apply equally to processors and controllers — a point many SMEs overlook when relying on third-party suppliers.

Why this matters for SMEs

Many SMEs rely on external IT providers, SaaS dashboards, or outsourced infrastructure. Consequently, they often inherit a false sense of security. Yet, as the Advanced case shows:

  • unpatched systems,
  • misconfigured access rights, and
  • weak administrator controls can create breach pathways that affect both the processorand its clients.

Furthermore, the ICO’s commentary stresses that technical misconfiguration is increasingly treated as a governance failure, not an unavoidable risk. In other words, SMEs are expected to demonstrate continuous security management – not reactive fixes after an incident.

What SMEs should do now

To reduce exposure to similar enforcement action:

  • Conduct regular patch-management reviews and document them.
  • Enforce multi-factor authentication onevery administrative and remote-access account.
  • Validate that third-party systems use secure configuration baselines.
  • Request evidence: recent pen-test summaries, MFA logs, and architecture diagrams showing data segregation.

ICO Enforcement Trend 3: Supply-Chain & Vendor Risk Is Now the Biggest Exposure

BDO notes that third-party suppliers are involved in a significant proportion of enforcement cases. This is evident across recent ICO actions.

A major example is the £14 million fine issued to Capita following a cyber incident that exposed the data of over 6 million people.

The ICO criticised:

  • slow isolation of the breach,
  • insufficient monitoring,
  • weak patching practices, and
  • inadequate oversight of third-party systems.

Similarly, the Upper Tribunal’s Clearview ruling confirmed that even overseas vendors fall under UK GDPR if they monitor UK residents.

Why SMEs must pay attention

SMEs are more dependent than ever on external providers – IT contractors, payroll services, marketing platforms, CRMs, SaaS tools, cloud storage, etc. Consequently, the regulator expects SMEs to:

  • verify supplier security
  • assess processors before onboarding
  • maintain a vendor register
  • require evidence of compliance
  • include audit rights and termination clauses

In other words, your compliance is only as strong as your weakest vendor.

What SMEs should do

  • Inventory all suppliers with data access
  • Request evidence: certifications, test summaries, logs
  • Ensure processor contracts meet Article 28 requirements
  • Assess vendors annually (high-risk: quarterly)

The Athlex Data Protection free audit highlights exactly where your vendor chain poses compliance risk.

ICO Enforcement Trend 4: Governance, Documentation & Accountability Are Under the Microscope

BDO’s report highlights that the ICO is increasingly examining how decisions are made, not just whether breaches occur. Good governance – leadership awareness, documented decisions, risk logs, and internal reporting structures — is now a major enforcement factor.

This aligns with the ICO’s call for views on new enforcement-procedural guidance, signalling more transparent and structured regulatory processes.

This means SMEs are expected to show:

  • clear data-protection ownership
  • leadership engagement
  • meaningful internal reporting
  • documented risk assessments and decisions
  • evidence of proactive compliance

How SMEs Can Stay Ahead – Starting Today

To prepare for these enforcement trends, SMEs should immediately focus on:
✔ DSAR workflows
✔ Data-accuracy controls
✔ Vendor oversight
✔ Incident readiness
✔ Governance documentation

And the simplest way to begin?

Use Athlex Data Protection’s Free UK GDPR Compliance Audit tool.

To read more about the biggest UK GDPR risks for SMEs, see our blog: Inside Out: Why Insider Risk Is the Biggest UK GDPR Blind Spot for SMEs.

 It covers DSARs, access controls, vendor risk, system accuracy, governance, and incident readiness –  all mapped into a clear action plan.

The 72 Hour Rule for UK GDPR Breach Reporting

5 minutes read
The 72 Hour Rule for UK GDPR Breach Reporting: A Plain English Guide for SMEs
Laptop with warning icon and clock representing urgency in UK GDPR breach reporting

When a personal‑data breach occurs, there are two key questions:

  1. When must we notify the regulator?
  2. How should we handle things internally to reduce risk, cost and reputational damage?

Lately, it feels like data breaches are never out of the headlines. From Marks & Spencer’s loyalty leak to Jaguar Land Rover’s ransomware hit, UK businesses are being tested on how fast and how well they respond.

For SMEs, understanding the 72‑hour rule under the UK GDPR isn’t just about avoiding fines it’s your fire drill, your buffer, your business continuity plan.

What is a “personal data breach”?

A personal data breach under the UK GDPR is any security incident that results in:

  • Accidental or unlawful destruction or loss of personal data
  • Loss of availability, for example through ransomware or system failures
  • Alteration or corruption of data that makes records inaccurate
  • Unauthorised disclosure of, or unauthorised access to, personal data

It doesn’t take a hacker,  mis-sent emails, misplaced USB drives, or wrongly configured cloud folders all qualify.

The “72-hour rule” – what it really means

The law doesn’t give you three full days to get your act together. It says:
“Without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.”

That means:

  • If you can report sooner, you should.
  • If you miss the deadline, you must justify why.
  • And no – “we were still checking with IT” won’t cut it.

Step-by-step: what SMEs should do

Recognise the incident

Use monitoring, logging, and staff escalation to detect breaches fast.

Assess the risk

Ask: what is the risk to the individual, is there a risk of identify fraud, financial or physical harm or distress. We provide more guidance on this below.

✅ Decide whether to report to the ICO

Ask; what is the harm to the individual(s)? And decide if you need to report the breach. If you are not reporting, you must keep a log, with clear reasoning.

Notify the regulator if likely to result in a risk of harm to individuals

Use the ICO breach reporting form and include:

  • What happened
  • What data and the number of people affected
  • Consequences
  • What you have done to reduce the risks
  • DPO or contact point

✅ Notify individuals (if high risk)

If the breach presents a high risk to the people affected (e.g. financial, reputational or emotional harm), you must tell them directly – without undue delay. This could be where there is an immediate risk of financial or physical harm to an individual.

✅ Remediate and document

Do a root-cause review to be clear about why it happened and how you will prevent it happening again. Update controls. Train staff. Write it all down.

Is the breach reportable? How to decide

Not every breach needs to be reported to the ICO – but many are. And the line between “notify” and “log it internally” isn’t always obvious.

Under the UK GDPR, a breach must be reported to the regulator if it is:

“likely to result in a risk to the rights and freedoms of individuals.”

This includes risks like:

  • Identity theft or fraud
  • Financial loss
  • Loss of confidentiality
  • Discrimination or reputational harm
  • Distress, particularly where vulnerable people are affected

But what does “likely” mean in practice?

That’s where judgment, experience, and knowledge of ICO enforcement comes in. You’ll need to assess:

  • What kind of data was involved? (Basic contact details or sensitive health, financial, or identity data?)
  • How exposed was it? (Sent to one person or published online?)
  • How long was it accessible?
  • Is there evidence it was accessed or misused?
  • Could individuals suffer harm or distress as a result?

This isn’t a binary “yes/no” — it’s a context-led risk decision. And it’s one the ICO expects you to document thoroughly.

💡 If you decide not to report, you still need to record:

  • The nature of the breach
  • The decision-making process
  • Why you believe notification wasn’t required
  • Any steps taken to contain or prevent recurrence

📚 Many SMEs benefit from looking at recent ICO cases, guidance, and fines. These real-world examples show how risk is interpreted — and where organisations got it wrong by waiting too long, misjudging impact, or failing to document decisions.

🗂️ Bottom line: if you’re unsure, log your reasoning and seek advice. Whether you notify or not, the ICO cares most about whether you acted promptly, documented clearly, and protected individuals’ rights.

Common SME mistakes

  • No breach detection tools in place
  • Waiting too long to decide what to do
  • Not documenting decisions
  • Assuming “we’re too small to be a target”
  • Launching new systems without updating privacy notices or contracts

Why SMEs should care

📣 From M&S to Jaguar Land Rover, breaches are everywhere.

But the risk isn’t just for corporates:

  • SMEs are common stepping stones in larger supply chains
  • Many attacks fly under the radar but cause huge disruption
  • The ICO doesn’t care how small you are if you’re unprepared

💥 Capita was fined £14m for poor breach handling.
🧾 Don’t wait for yours to become a headline.

SME breach-response checklist

  •  Do you have a documented, tested response plan?
  •  Are your logs and alerts functioning?
  •  Have staff been trained on what to do?
  •  Do your contracts cover breach reporting?
  •  Do you review and record every incident,  even the “minor” ones?

Related on Athlex: Prevent insider risk

Most breaches start from inside your business.
📘 Read: Insider Risk — 7 GDPR Controls for SMEs

Final word

The 72-hour rule is not just a regulatory tick-box  it’s your first defence.

Plan it. Test it. Use it.
And when a breach happens, act fast and document everything.

Contact us if you need help: hello@athlex.co.uk
Our Free UK GDPR Compliance Checklist is coming soon.