News

  1. Marriott Hotel: Data Breach

    Posted Tue 17th Nov 2020

    Marriot International has been fined a total of £18.4 million (a reduction from the original £99 million) for its negligence in safeguarding customer personal data that it is responsible for. This breach is interesting, as the breach initially occurred in 2014 (before the GDPR came into effect) and the breach occured under a different business group 'Starwood Hotels Group' which was acquired by Marriott after the breach occured.

  2. Now Departing: £20m from British Airways

    Posted Tue 27th Oct 2020

    British Airways airline company has been fined the “biggest to date” sum of £20 Million, by the Information Commissioner’s Office (ICO) for failing to protect the personal data of data subjects which resulted in a security breach.

  3. Court Decision on European Mass Surveillance and the Consequences for Brexit

    Posted Mon 19th Oct 2020

    As a member of the European Union, member states are obliged to abide by some of the strictest privacy laws in the world. Today, UK, French and Belgian national governments all use some form of mass surveillance. In recent years, privacy groups have taken claims to EU courts arguing that this surveillance is illegal. The national governments disagree. The CJEU refuted the claims that mass surveillance is outside their jurisdiction and issued a ruling on the 6th October 2020.

  4. Data Protection Guidance for Test and Trace Schemes

    Posted Thu 8th Oct 2020

    Since the easing of lockdown, many organisations have implemented new measures so that they can re-open safely to the public. For most businesses, this included collecting customers’ and visitors’ personal information to support the UK Government’s approved contact tracing scheme. There have been criticisms over the governments advice due to a lack of a Data Protection Impact Assessment being performed.

  5. India’s First Major Personal Data Protection Bill.

    Posted Mon 14th Sep 2020

    India is drafting its first bill that aims to protect the personal data of its citizens. This articles goes over the key differences between the GDPR and the new Indian Personal Data Protection Bill (PDPB) and discusses some controversies surrounding it.

  6. A Timeline of US Mass Surveillance, International Privacy Agreements, and a Disgruntled Austrian

    Posted Mon 27th Jul 2020

    On the 16th July 2020, the CJEU came to a decision on the Schrems II case. The decision invalidated a major EU-US privacy agreement that previously allowed personal data to freely flow between the EU and the US. This court case is the latest chapter in an ongoing saga of privacy activists, commercial selling of ‘big data’ and revelations made by whistle blower Edward Snowden. This article gives a brief timeline of the events leading up to this case.

  7. Is your use of website cookies currently lawful?

    Posted Mon 29th Jun 2020

    If you have not reviewed your cookie policy since October of 2019, it may not be. Many large corporations appear to be ignorant of a ruling (case C-673/17 - Planet49) that was made by the Court of Justice of the European Union (CJEU). The ruling clarifies how cookies should be managed and the subsequent impact on cookie statements. Indeed, many corporations appear to be breaking the law, even 7 months after the ruling.

  8. Covid-19 Contact Tracing Apps, a Centralised vs. Decentralised Approach

    Posted Mon 8th Jun 2020

    Contact tracing is currently successfully employed in the UK to prevent the spread of sexually transmitted diseases. It is hoped that the development of an NHS app can prevent the spread of Covid-19. Unfortunately, there have been significant concerns over user privacy. There has been debate and even controversy on the centralised vs. decentralised approach.

  9. GDPR individual rights – Is the cost to business just about to explode?

    Posted Tue 2nd Jun 2020

    The UK government’s job retention scheme has protected 7.5 million workers and almost 1 million businesses. From the start of August 2020, employers will be asked to pay a percentage towards the salaries of their furloughed staff. Will businesses be able to re-employ all their furloughed workers or will we see a significant number of them being made redundant?

  10. Privacy Notices: Upstream and Downstream Processes

    Posted Fri 29th May 2020

    GDPR demands that before personal data is requested from a data subject a Privacy Notice must be presented to the data subject or consent gained depending on the situation. We recommend that each Business Process Owner should consider whether their process needs to present a Privacy Notice or not.

  11. Accountabilities & Responsibilities

    Posted Thu 21st May 2020

    All organisations have a duty, via their DPO or Privacy Manager to ensure that all folk within their organisation are aware of their accountabilities and responsibilities.

  12. Have I been Pwnd? A Database of Data Breaches

    Posted Tue 5th May 2020

    The GDPR was introduced to provide EU citizens with greater protections and control over their personal data. It achieved this by introducing new rights for individuals and by imposing stricter data protection requirements on organisations. But what happens if your personal data was part of a data breach before the GDPR was introduced?

  13. Data Sharing Agreements: What is the Best Practice?

    Posted Wed 11th Mar 2020

    The ICO states that ‘…whenever a controller uses a processor, there must be a written contract (or other legal act) in place...’ The GDPR sets out what needs to be included in the contract. But what happens if you are a controller sharing data with another controller? You need a Data Sharing Agreement.

  14. Are Privacy Notices Just about GDPR?

    Posted Tue 18th Feb 2020

    Every company has been focused on ensuring their privacy notices are compliant for GDPR, however there could be a blind spot. The GDPR may be the strongest privacy regulation in the world, but it isn’t the only one. For example; when your web site use cookies, your organisation must ensure that the Privacy and Electronic Communications Regulations (PECR) is also followed.

  15. External Assessments

    Posted Wed 12th Feb 2020

    Why do we need an external assessment if we do our own internal audits? It's a common question that can be heard. It can be understood that audits are seen as expensive, time consuming and invasive. GDPR is a legal requirement that must be fulfilled and it does have indirect benefits. Clearly though, time spent on GDPR is not time spent on other activities that add business value. So the focus on external assessment or audit is put to one side.