EP NowStoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

The Information Commissioner’s Office (ICO) imposes hefty penalty for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).
November 16, 2022
ICO Issues 4.4M Penalty

The Information Commissioner’s Office (ICO) has imposed a hefty penalty of £4.4M on UK-based construction company Interserve Group Ltd. for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).

Despite falling victim to a cyberattack, the ICO had little sympathy for Interserve, with Information Commissioner John Edwards stating

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

Clearly, the ICO is continuing to crack down on companies which don’t take data security seriously. So, what can production teams learn from this decision?

What happened?

In March 2020 a phishing email was sent to Interserve’s accounts team mailbox requesting urgent review of a document. The email wasn’t picked up by Interserve’s email system. An employee monitoring the inbox forwarded it to a colleague who was responsible for paying invoices.

The second colleague opened the email and downloaded the attached zip file. The file installed malware on their computer, giving the hacker access to their system.

Interserve’s anti-virus tool detected the malware and removed it. However, the company failed to take any further steps to investigate the incident and the hacker retained access to the employee’s computer.

The hacker subsequently gained access to Interserve’s IT system. Among other things, the hacker compromized four HR databases containing data relating to 113,000 former and current employees. This data included personal data – such as contact details, national insurance numbers, bank details and salary information – as well as special category personal data, including data relating to ethnic origin, religion, sexual orientation and disabilities.

Two months after the original attack, during a routine maintenance check, Interserve discovered a message on its server stating that it had been hacked. It subsequently reported the attack to the National Cyber Security Centre and the National Crime Agency and submitted a personal data breach notification to the ICO.

The penalty

Following an investigation, the ICO concluded that Interserve had failed to put appropriate technical and organizational measures in place to prevent the cyberattack, in breach of Articles 5(I)(f) and 32 of the UK GDPR.

In particular, the ICO found that Interserve had:

  • Failed to follow up after being alerted to suspicious activity
  • Used outdated software systems and protocols
  • Failed to provide proper staff training (at the time of the incident, only one of the employees who received the phishing email had undertaken data protection training), and
  • Failed to undertake proper risk assessments

According to the ICO, these failures had rendered Interserve vulnerable to a cyberattack.

Takeaways for production

In its decision, the ICO acknowledges that while protecting a business from cyberattacks can feel intimidating, most organizations which get it wrong make preventable mistakes.

With phishing attempts constituting the most common form of cyberattack reported by UK businesses, there are some lessons which can be learned from this decision.

Training, training, training

Because phishers prey on individuals, it’s essential that production teams undergo data protection training so that they can recognize attempted attacks (things like unusual or mis-spelled domain names, poor spelling and grammar and urgent requests to perform a task (such as making a payment) can all be signs that an email isn't what it seems). As demonstrated in this case, accounts teams may be a particular target due to the nature of their role.

Phishers are becoming increasingly sophisticated, so training should be provided on a regular basis to keep data protection top of mind.


In addition to providing regular training, it’s essential that production companies have appropriate data protection policies in place and a means to update and promote these. It’s also important to have a clear audit trail of who’s read and agreed to your policies.

Robust systems

Interserve’s outdated software systems made it vulnerable to a cyberattack. Similarly, personal email systems and devices and unsecure IT networks can leave you exposed if you’re using them to host and share personal data, such as contract and payment information. To reduce your risk, make sure you’re using a secure, cloud-based solution to manage personal data, with added security measures like multi-factor authentication.

For more information on how to secure your production data, check out our guide to information security.

Topic: Security

Related Content

10 Notable UK Studios for Your Next Production 

Headed to the UK for your next film? Check out this list of notable filming locations ranging from...
Topic: Spotlight

3 Common Pitfalls to Avoid When Performing Right to Work Checks

Make sure you’re following the UK right to work rules when contracting and paying film and TV production...
Topic: Legal
PGGB and Entertainment Partners: Step up to Production Accountant

Entertainment Partners Supports PGGB’s Step Up to Production Accountant Programme

Supporting UK crew transitioning to production accountant roles, Entertainment Partners sponsors the...
Screen Alliance Wales

Entertainment Partners Announced as Official Sponsor of Screen Alliance Wales

EP sponsors Screen Alliance Wales, a leading not-for-profit which grows and promotes the talent, crew and...
Master Series_Square_Tax Considerations Abroad

Tax Considerations for US Productions Working Abroad

Paying US crew filming outside of the US is complex. Our experts will show you how to navigate the...
Katie Weekes, Managing Director of Global Casting at Entertainment Partners (EP)

Spotlight: Katie Weekes, Managing Director of Global Casting

Meet Entertainment Partners’ Managing Director of Global Casting

ScreenSkills Launches Movie Magic Training Programme for UK HETV Professionals

Entertainment Partners supports ScreenSkills’ training programme to upskill UK HETV professionals on Movie...

10 Myths About the UK Film and TV Tax Credit – And Why They're Not True

The UK film and TV tax credit is one of the most generous in the world. Learn the truth about common...

The Production Accountant’s Guide to Foreign Taxation

Answers to common questions about tax treaties, tax codes and how paying foreign taxes can impact US...
Master Series Thumbnail Square_UK Tax Relief

What Productions Need to Know about the UK Tax Relief

Learn about the recently announced reforms to the UK Tax Relief, including the credit increases and new...
EP Newsroom-Thumbnail-PGGB

The Production Guild of Great Britain Announces New Scotland Committee

Producer Brian Donovan ('His Dark Materials', 'The Rook') chairs the fifth of PGGB’s National & Regional...

The UK Government Announces Changes to Film and TV Tax Relief

A new audio-visual expenditure credit was introduced with a rate of 34% for film, high-end television...
INDUSTRY NEWS_Square_New VAT Penalty System

Avoiding Penalties Under HMRC’s New VAT System

Late penalties now apply if you submit your production’s value-added tax (VAT) returns after the deadline...
Topic: UK
Woman looking at working schedule on laptop

Types of Working Days in the UK HETV Industry – And What They Mean

Key types of working days to be aware of if you’re producing scripted TV in the UK.
Topic: UK

2023 Tax Year Changes Affecting Your UK Production Payroll

UK government has announced increases to various rates of statutory pay, which will take effect in April...
INDUSTRY NEWS_SQUARE_uk flag_big ben

Update on UK Film and TV Tax Relief Consultation

A look at how the UK government aims to modernise existing tax reliefs to better serve film industry...
Topic: UK

UK Employment Law Changes Production Companies Should Be Aware Of

The UK government is considering a suite of legal changes which – if passed into law – will affect your...
Topic: UK
EP Blog_SQUARE_London Background Actors

London Productions: Key Things to Consider When Working with Background Actors

Is your production filming in or around London? Don't overlook the special rules that may apply to your...
Topic: UK
Joe Francis-EP International-Lyndsay Duthie-PGGB-Alison Small-Netflix

UK Film and TV Industry Gathers at Inaugural PGGB Talent Showcase

More than 250 film and TV industry figureheads, newcomers, students, educators and skills bodies gathered...
EP Newsroom-Thumbnail-PGGB

Entertainment Partners and Netflix pledge £500K ($616K) to new PGGB Talent Development Fund

Entertainment Partners and Netflix have each pledged £250k ($308k) to form a new £500k ($616k) Production...

7 Things Production Finance Teams Need to Know for Budgeting in 2023

Mark Hammond, VP of International Finance & Ops, shares some of the key factors production finance teams...
EP Newsroom-Thumbnail-PGGB

6FT From The Spotlight Wins Inaugural Earl of Wessex Award at PGGB Talent Showcase

Film and TV industry charity 6ft From the Spotlight were awarded The Production Guild of Great Britain’s...

Entertainment Partners and Netflix Pledge £500K ($608K) to New PGGB Talent Development Fund

Production Guild of Great Britain (PGGB) Talent Development Fund will support the development and...

New Union Agreement for Engaging Crew on UK HETV Takes Effect

Pact/Bectu 2023 agreement makes a number of key changes to the terms and conditions for engaging crew.
Topic: UK
Master Series square Thumbnail Pact Bectu Agreement

Understanding the New Pact/Bectu TV Drama Agreement 2023

Your comprehensive overview of the new Pact/Bectu TV Drama Agreement and how key changes will impact...
Topic: UK
Virtual Production

The UK Invests in Virtual Production as Content Boom Continues

The UK is doubling down on Virtual Production infrastructure; learn how and why they’re leading the charge...
Topic: UK
Doctor Strange

9 Hollywood Blockbusters Actually Filmed in the UK

Major US studios are taking advantage of what the UK has to offer, and clever set design and special...
Topic: UK

UK Production Incentives All Producers Should Know About

Don't miss out on the UK's tax incentives, special programs, and national and regional funding...

Behind the Boom: Why the UK is a Hotspot for Production

Explore the generous industry incentives, talent, and infrastructure available to productions filming in...

Three Mistakes That Can Slow Down Your Production Payroll (And How to Avoid Them)

Stay compliant with UK rules and regulations, and get your crew and talent paid on time, with these...
UK Govt backtracks on growth plan

UK Government Backtracks on Growth Plan: What it Means for Production

Former UK Chancellor Kwasi Kwarteng was replaced by Jeremy Hunt after 38-day run, and policies reversed in...
Topic: UK

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2023 Entertainment Partners. All rights reserved.