In this edition of our data protection bulletin we focus on some of the latest data protection developments in the UK as well as how to protect against and deal with personal data breaches.
Thank you to all those who attended our recent data protection webinar on data breaches. If you were unable to join the live webinar, you can watch the recording here.
In the webinar, partners David Varney and Tom Llewellyn cover:
- Identifying and investigating data breaches.
- Reporting and notification obligations.
- Rectifying and mitigating the effect of data breaches.
- Cyber insurance considerations.
Businesses handling significant or sensitive personal data are especially vulnerable to cyber security breaches. In this article we highlight recent cyber security trends, advise the key steps for businesses to enhance their cyber resilience and point out the legal considerations following a data breach.
Read more
In this article we discuss the recent request from the UK government to access end-to-end encrypted data from Apple. We look at what this means for users and the implications for the future of data security.
Read more
The ICO’s consultation on its updated guidance on storage and access technologies, which is set to replace its former guidance on cookies and similar technologies, closes on 14 March. While the fundamentals (PECR and UK GDPR compliance, valid consent) remain the same, we explore the key changes.
Read more
The Data (Use and Access) Bill has now completed its passage through the House of Lords, reflecting the government’s renewed focus on harnessing the economic power of data.
Read more
An ICO reprimand was issued to Bonne Terre Limited, trading as Sky Betting and Gaming, due to the unlawful processing of personal data through advertising cookies between January and March 2023. Throughout this time the company transferred personal data to third parties without first getting the informed consent of its web visitors. Whilst its website had a cookies banner with the ability to accept/reject cookies, the ICO found cookies deployed before the visitor had made their decision. Read the details here.
The Police Service of Northern Ireland was fined £750,000 by the ICO for a serious data breach under the UK GDPR, involving the accidental disclosure of personal data of 9,483 officers and staff on a public website. The August 2023 breach resulted from inadequate security measures in handling workforce data in response to a Freedom of Information request, exposing officers to potential threats. Read more here.
A reprimand was issued to the Labour Party relating to its failure to respond to subject access requests in a timely manner, linked to a backlog that arose after a 2021 cyber-attack. 78% of SARs had not received a response within the maximum compulsory time limit of three months, and over half (56%) were significantly delayed by over one year. The reprimand suggested increased staffing to comply with legal requirements. Read in full here.
Levales Solicitors were hacked, with their cloud-based server being accessed using legitimate credentials and the data held on it being published on the dark web. This affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved. The ICO investigated and found the firm were not implementing effective organisational measures. Read more here.
An ICO enforcement notice was issued to Dorset County Hospital NHS Trust over poor response times to Freedom of Information requests. In the last year, the Trust had a compliance rate of 15% for answering requests within 20 working days. It also had a significant backlog of older requests. The Enforcement Notice required the Trust to provide responses to all requests that were more than 20 working days old within seven weeks. Read the full story here.
We are expecting to see a continued increase in cyber-security attacks and threat actors seeking to exploit system vulnerabilities. This highlights the importance of ensuring robust cybersecurity measures are in place and that incident response plans are implemented ahead of time.
AI is going to keep moving up the agenda for a lot of organisations. The ICO is focussed on helping organisations adopt new technologies to support the UK government’s pro-innovation approach to AI, whilst ensuring that personal data is protected. It has committed to ensuring that its AI guidance is user friendly, reduces the burden of compliance for organisations and reflects upcoming changes in relation to AI regulation and data protection.
