Blog

Making the headlines for data mishandling this week is Bounty UK, a pregnancy club who has been given a £400,000 fine for illegally sharing the personal information of more than 14 million people. Being called an “unprecedented” case by the Information Commissioner’s Office (ICO) who issued the fine, they discovered that Bounty had compiled personal data without telling users that it was being shared with 39 other organisations. How did Bounty UK break the 1998 Data Protection Act? The Bounty pregnancy and parenting club offers free samples to its users, as well as vouchers and guides to prospective and new …

Amazon’s Alexa is passing back gigabytes of users’ data to big businesses and, for the first time in a long time, users are more aware of it. The rise of privacy invasion Privacy invasions have made very popular news stories as of late, with huge companies such as Amazon, Google and Facebook harvesting profits with their users’ data. Whether it’s hidden microphones in devices (Google’s Nest Guard), unauthorised access to private messages (Facebook Messenger) or security apps that are siphoning off data (Onavo), news of these intrusions quickly make headlines and infuriate users. Big data is big business and that …

Don’t assume cookie walls always comply with GDPR. You’ve seen the cookie walls a lot recently, right? They are those pop ups that demand you agree to having your internet browsing tracked whilst on a website. The site needs your approval so that it can track your use and then potentially deliver targeted adverts to you whilst you browse the internet later that day or week. However, according to the Dutch Data Protection Agency (DPA), many of these cookie walls are not compliant with European Data Protection Law. The DPA has received dozens of complaints from internet users who have …

Understandably, thousands of UK businesses who use US companies to process personal data have been worried about the recent report on the EU-US Privacy Shield.   Well, it’s good news for these UK businesses, because the report found that data protection standards of companies across the pond are in fact up to scratch. Better yet, the steps recently taken by U.S. authorities have improved the functioning of the framework.   What is the EU-US Privacy Shield?  For those that don’t know, the EU-US Privacy Shield is a legal framework which ensures that the protection of data (processed by US companies for EU businesses) is provided with adequate …

Leave.EU and the Arron Banks insurance firm have been fined £120,000 for data breaches that happened during the EU referendum.   The information commissioner has officially launched an audit into Leave.EU which is owned by the campaign’s key financial backer, Arron Banks. His two organisations, Leave.EU and his insurance company, were fined for data protection violations during the EU referendum campaign.   What happened in the breach?   Leave.EU was fined £15,000 for using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages, and then a further £45,000 for its part in sending an Eldon marketing campaign to political subscribers.  1 …

Earlier this month, France’s Supervisory Authority (CNIL) fined Google €50 million (around £44 million) for a breach of the EU’s data protection rules.  The case arose from complaints filed by the CNIL very soon after the 25th of May 2018 by two consumer associations against Google for “not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes“.  The CNIL claimed that Google breached the GDPR when new Android users set up a new phone and during Android’s onboarding process as they made it difficult for consumers to access the data collection policies and failed …

There is currently no easy tick-box solution for measuring GDPR compliance, but there are ways that you can demonstrate your compliance, should the ICO come knocking.  You need to put the work in now, this is an on-going commitment. We were told originally that a certification scheme (which would have given people a vehicle for demonstrating compliance) would be in place before the GDPR came into effect in May 2018.  This did not transpire, however, and it seems that the ICO currently have no plans to accredit certification bodies or carry out certification at this time. So the onus is …

As the year end approaches and we reflect back on a very hectic time prior to the introduction of the GDPR in May, we are still waiting for the final draft of the new ePrivacy Regulation which like the existing ePrivacy Directive covers: Marketing telephone calls, emails, texts and faxes Cookies Keeping communications secure Customer privacy (for example location data, itemised billing etc). The ePrivacy Regulation sits alongside the GDPR and in the UK, the Data Protection Act, but it is not yet fully clear how this will be amended in line with the GDPR (we expect to know how …

The 2018 Data Protection Act (DPA) has not given the ICO the power to imprison people who breach it.  The strongest penalties they can issue according to the DPA are fines, albeit very heavy ones. However, last month the ICO used their powers in conjunction with the Computer Misuse Act (CMA), which resulted in a 6 month jail term for the offender. The prosecuted person accessed and used (for personal gain) thousands of personal records without permission. Usually this would have been prosecuted under the Data Protection Act, but in the first case of its kind, it seems that the …

If you are in a regulated industry, even if you don’t ever breach the GDPR/DPA2018, there are additional regulations that could result in a breach and a fine. Tesco has just received a fine from the Financial Conduct Authority (FCA) for a data breach that happened in 2016. What happened to Tesco? In November 2016, Tesco Bank was the subject of a Cyber Attack where attackers used an algorithm to generate authentic Tesco Bank debit card numbers. Using these “virtual cards”, the attackers engaged in thousands of unauthorised debit card transactions, collecting over £2.26 million from real account holders. It …