Skip to Content

When Legacy Bites Back: What the £14 Million ICO Fine Against Capita Really Means

When Legacy Bites Back: What the £14 Million ICO Fine Against Capita Really Means


Excellence by default. Compliance by design.

By Oliver Kölsch – Data Protection, IT Security & Compliance, TrendTec UG


A Fine That Sends a Message


In early 2023, the UK’s Information Commissioner’s Office (ICO) imposed a fine of approximately £14 million on IT service provider Capita.

This was not a routine sanction — it was a signal. 
A signal to every company still relying on outdated infrastructures and “legacy contracts”: Legacy is no longer a status. It’s a liability.


At the core of the incident were two familiar weaknesses: Privilege escalation and ineffective alert response. 

An attacker exploited outdated permission structures to gain privileged access. Alerts were generated but not acted upon in time. The result: millions of citizens’ personal data — including sensitive insurance and pension information — were compromised.


Beyond the Fine: Accountability in Depth


The ICO’s decision does more than penalize one provider.

It redefines how accountability is distributed across IT service chains.


“Legacy infrastructure and old contracts no longer protect you from responsibility.”


The message is clear:

  • Technical negligence is now legal negligence.
  • Due diligence extends beyond the SLA — into your code, architecture, and processes.
  • Response time and traceability are measurable compliance factors.



    For service providers, this means that compliance cannot be delegated. Security, architecture, and governance are now indivisible.


Data Protection Is System Architecture


Many organizations still treat data protection as a legal checkbox exercise.

But the Capita case proves that data protection today is fundamentally a matter of system architecture.


In practice, this translates into:

  • Privilege management is not optional — it is a mandatory control under GDPR Article 32.
  • Incident response must be measurable, repeatable, and auditable.
  • Legacy environments require formal risk assessments and documented modernization plans.


Failing to modernize does not only create technical debt, but also regulatory debt — and both accrue interest.


Three Lessons for Every Organization

  1. Inventory Your Dependencies. 
    Identify systems, partners, and subprocessors. Which ones are still GDPR-compliant — and which aren’t?
  2. Test Your Response Capability. 
    Define alert runbooks, escalation thresholds, and time-to-respond KPIs.
  3. Embed Compliance in Design. 
    Policies do not ensure protection — architecture does.


How TrendTec Helps Organizations Stay Audit-Ready


At TrendTec, we combine data protection, IT security, and ERP process architecture into one auditable framework.


Our Odoo-based solutions include:

  • GoBD & GDPR audit modules for Odoo (v18/v19)
  • ISO-compliant document management (DMS) based on ISO 15489 & DIN EN 82045
  • Incident response workflows with built-in audit trails and time-based KPIs
  • Automated privilege and risk analytics dashboards


The result: 

Compliance by design — measurable, reviewable, and certifiable.


Conclusion


The Capita fine is not a British anomaly — it is a European case study. 

It demonstrates that in 2025 and beyond, technical design equals compliance.


Those who continue to rely on outdated systems and contracts are accumulating hidden liabilities — both technical and legal. 

Because in compliance, as in finance:


Interest always comes due.


About the Author


Oliver Kölsch is Data Protection Officer, Compliance Lead, and Managing Director of TrendTec UG (haftungsbeschränkt).

He advises organizations on integrating compliance and security frameworks into Odoo-based architectures, with a focus on GDPR, GoBD, ISO 15489/16175, and IT security governance.

Sign in to leave a comment
Isolieren statt Reagieren: Schutzstrategien nach den npm-Angriffen 2025
Wenn Softwarebibliotheken zur Schwachstelle werden: Übersicht und Maßnahmen