EP NowStoreAcademySupportProduction LotProducts by Country
Legal & Compliance Home

ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

The Information Commissioner’s Office (ICO) imposes hefty penalty for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).
November 16, 2022
ICO Issues 4.4M Penalty

The Information Commissioner’s Office (ICO) has imposed a hefty penalty of £4.4M on UK-based construction company Interserve Group Ltd. for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).

Despite falling victim to a cyberattack, the ICO had little sympathy for Interserve, with Information Commissioner John Edwards stating

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

Clearly, the ICO is continuing to crack down on companies which don’t take data security seriously. So, what can production teams learn from this decision?

What happened?

In March 2020 a phishing email was sent to Interserve’s accounts team mailbox requesting urgent review of a document. The email wasn’t picked up by Interserve’s email system. An employee monitoring the inbox forwarded it to a colleague who was responsible for paying invoices.

The second colleague opened the email and downloaded the attached zip file. The file installed malware on their computer, giving the hacker access to their system.

Interserve’s anti-virus tool detected the malware and removed it. However, the company failed to take any further steps to investigate the incident and the hacker retained access to the employee’s computer.

The hacker subsequently gained access to Interserve’s IT system. Among other things, the hacker compromized four HR databases containing data relating to 113,000 former and current employees. This data included personal data – such as contact details, national insurance numbers, bank details and salary information – as well as special category personal data, including data relating to ethnic origin, religion, sexual orientation and disabilities.

Two months after the original attack, during a routine maintenance check, Interserve discovered a message on its server stating that it had been hacked. It subsequently reported the attack to the National Cyber Security Centre and the National Crime Agency and submitted a personal data breach notification to the ICO.

The penalty

Following an investigation, the ICO concluded that Interserve had failed to put appropriate technical and organizational measures in place to prevent the cyberattack, in breach of Articles 5(I)(f) and 32 of the UK GDPR.

In particular, the ICO found that Interserve had:

  • Failed to follow up after being alerted to suspicious activity
  • Used outdated software systems and protocols
  • Failed to provide proper staff training (at the time of the incident, only one of the employees who received the phishing email had undertaken data protection training), and
  • Failed to undertake proper risk assessments

According to the ICO, these failures had rendered Interserve vulnerable to a cyberattack.

Takeaways for production

In its decision, the ICO acknowledges that while protecting a business from cyberattacks can feel intimidating, most organizations which get it wrong make preventable mistakes.

With phishing attempts constituting the most common form of cyberattack reported by UK businesses, there are some lessons which can be learned from this decision.

Training, training, training

Because phishers prey on individuals, it’s essential that production teams undergo data protection training so that they can recognize attempted attacks (things like unusual or mis-spelled domain names, poor spelling and grammar and urgent requests to perform a task (such as making a payment) can all be signs that an email isn't what it seems). As demonstrated in this case, accounts teams may be a particular target due to the nature of their role.

Phishers are becoming increasingly sophisticated, so training should be provided on a regular basis to keep data protection top of mind.


In addition to providing regular training, it’s essential that production companies have appropriate data protection policies in place and a means to update and promote these. It’s also important to have a clear audit trail of who’s read and agreed to your policies.

Robust systems

Interserve’s outdated software systems made it vulnerable to a cyberattack. Similarly, personal email systems and devices and unsecure IT networks can leave you exposed if you’re using them to host and share personal data, such as contract and payment information. To reduce your risk, make sure you’re using a secure, cloud-based solution to manage personal data, with added security measures like multi-factor authentication.

For more information on how to secure your production data, check out our guide to information security.

Topic: Security

Related Content

EP News_SQUARE_Breaking Down Barriers-How Leading UK Organisations are Driving Inclusion in Film and TV

Breaking Down Barriers: How Leading UK Organisations are Driving Inclusion in Film and TV

Notable UK training bodies and industry partners gather to reaffirm their mission to drive change and...
Woman looking at a laptop

20 IR35 Terms Every Production Worker Should Know

Find out how to apply the UK’s IR35 rules to your film and TV productions with this helpful overview.
Master Series Thumbnail–UK indie film tax credit

Boost Your Budget with the Independent Film Tax Credit

Learn how to maximize UK incentive dollars with the new IFTC!
Fully Focused-Thumbnail-480

Entertainment Partners and Fully Focused Partner to Support the Future of UK Production

New partnership aims to foster the next generation of UK production professionals and break down barriers...

Spotlight: Lloyd Gunton, UK Tax Credit Expert

Meet the creative sector tax expert helping EP clients from indies to major studios maximize incentives...
Cameraman filming outside in a field

HMRC Announces Changes to Claiming UK Creative Sector Tax Incentives

What productions should know about the increased disclosure requirements under the UK's Audio-Visual...
EP Blog-Bob Clarke-Mama Youth

Celebrating (Almost) 20 Years of MAMA Youth Project

UK charity’s founder, Bob Clarke, shares how this unique initiative is breaking down barriers to...
Producer and actor standing on a film set

How to Prepare for an Audit: Tips for UK Productions

Discover key strategies UK film and TV production companies can use to effectively prepare for an audit.
Topic: UK
Camera man and production crew on a film set

Curious About Co-productions? What Producers Need to Know.

Discover the advantages, requirements, and strategies for successful co-productions in the film industry.
National Film and Television School

Entertainment Partners To Provide Funding For Future Assistant Directors And Floor Managers

Two new scholarship opportunities are now available for those looking to train in the field of assistant...

What Does the UK’s New Independent Film Tax Credit (IFTC) Mean for Productions?

As the UK government strengthens its support for productions, find out what the latest changes to the...
Four panelists discuss co-production-square

Unlocking the Myths and Benefits of Co-Production

Learn the difference between an official co-production and PSA, and how to leverage these opportunities to...
EP Newsroom-Thumbnail-PGGB

Million Youth Media Wins The Duke of Edinburgh Film & TV Inclusion Award 2024 at PGGB Talent Showcase

The Duke of Edinburgh Film & TV Inclusion Award presented to Million Youth Media, an organisation offering...
Blue square with white letters and UK flag: Changes to UK Paternity Leave Regulations

Changes to UK Paternity Leave Regulations

Effective March 8th, modified paternity leave to provide more flexibility for UK fathers.
Topic: Alerts
Big Ben, London

5 Things to Consider Before Transitioning to the UK’s New AVEC Regime

A comprehensive overview to help determine if you should use the UK’s new incentive regime to fund your...
Blue tile stating UK announces minimum wage updates

UK Government Announces Minimum Wage Updates

National Living Wage and National Minimum Wage rates increase for 2024.
Master Series Thumbnail Square UK Productions

UK Production: Sites, Services and Studios

Learn about UK incentives, infrastructure and production innovation spanning from London to Wales,...

Entertainment Partners Makes Commitment to UK Production with Film & TV Partnership Programme

Find out how EP is partnering with the leading UK training organisations to close the skills gap, increase...
Entertainment Partners Logo Thumbnail-square

NFTS and Entertainment Partners (EP) Establish Partnership to Support the Future of Film and Television Production

By supporting the National Film and Television School through this new partnership, Entertainment Partners...

NFTS, Entertainment Partners establish partnership

EP the entertainment payroll and production technology company joins as a prominent new Patron of the...

NFTS and Entertainment Partners (EP) establish partnership

The National Film and Television School (NFTS) announces a new partnership with Entertainment Partners...
UK Right to Work Penalties to Triple in 2024

UK Right to Work Penalties to Triple in 2024

Find out how your production can prepare for the increased penalties for employing a worker who doesn't...
Topic: Legal
EP Blog_SQUARE_Spread of UK Production

Outside of London: How the UK Production Industry Spread Beyond the Capital

Film and TV production outside of London (OOL) is now an integral part of the UK, with world-class media...
Topic: UK
Expert Advice_Sam Collett

Spotlight: Sam Collett, UK Production Accounting and Incentives Expert

Meet the Senior Partner at FLB Accountants, an Entertainment Partners company specializing in UK media and...
Master Series_UK Incentives Panel_Square

What's Changing in UK Production Incentives

Learn about the recent changes to the UK Creative Sector Tax Credits and how they might impact your next...
EP Blog_SQUARE_UK cultural test

Understanding the UK Cultural Test

Find out whether your film or TV show will pass the UK’s Cultural Test, a key step in qualifying for the...

Payroll & Finances

PayrollResidualsSmartStartSmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP ResidencyMoneypenny

Manage Multiple Productions


Additional Services

Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2024 Entertainment Partners. All rights reserved.