Following the Information Commissioner's Office's (ICO) stated intention to issue the first fine to a processor for breach of its obligations under data protection law, processors will look to shift how they document their own compliance, including due diligence when appointing sub-processors in their supply chain. It will also result in many processors likely adopting a more robust position in contracts with controllers when negotiating liability caps for data breaches. Although the final penalty or enforcement notice has not been issued yet, the provisional decision has undoubtedly created a renewed focus and raised potential concerns for processors, reminding them of the importance of things like multi factor authentication. In the event that further fines are levied against processors in the coming year, the rationale behind these regulatory decisions will be awaited with great interest. Any fines issued to private sector or public sector controllers will provide additional understanding on whether the ICO will look to take a harsher line on processors who deliver software and services to the public sector only, or whether the ICO is adopting a wider remit of targeting processors across all sectors.