Since Plato, philosophers have invested countless hours and words on the investigation of ethics. What makes something right or wrong? What do we mean by acting morally or immorally – or indeed amorally. Are good and bad fixed and objective facts, or just opinions relative to your culture, your religion, your circumstances, your place in … Continue reading Deus ex machina
Only yesterday we saw the first proper fine of the post-GDPR era. A mere £183m. Today we hear that the ICO also intends to fine Marriott hotels just under £100m. More than a quarter of a billion pounds in 48 hours. For context, in the whole of last year the total fines for data protection … Continue reading Ten steps to avoid losing £283m
Anyone who cares about privacy has been waiting for the signal to start taking the new Data Protection Act seriously. Frankly, after the big rush to get "GDPR-ready" by May of last year, most organisations seem to have returned privacy to the too-hard pile. Very few have done anything to embed privacy as a living … Continue reading It’s time to get ethical
The ICO has fined a pensions advisor £40k for sending nearly 2m spam emails. So far, so nobody-cares-about-PECR[i]. In fact the fine is pretty low for an infringement of this size. Why? Because the Grove Pension Solutions checked their proposed marketing scheme with a “recognised specialist data protection consultancy” and an “independent data protection solicitor” … Continue reading Bought-in lists are dead
Bit of a technical one for the privacy nerds here. There's an interesting update from the ECJ: The Advocate General proposes to rule that under the Data-Protection-Directive the operator of a website who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user’s … Continue reading Who’s in control? (wonkish)
This is more of a reminder than anything else. I've already blogged about the risks of a hard Brexit from a data protection compliance perspective, and we've featured it in our October newsletter at Securys. But now the ICO has also said similar things, and the government is moving to "full hard-Brexit preparation". So it's … Continue reading Hard Brexit preparation
A number of major breaches have hit the news recently - including the 500-million-data-record Marriott Hotels breach, and the Sotheby's Home Magecart hack. I'll probably go on about over-retention of ID data in another post, but right now I was wondering... Is it attractive for hacked organisations to exaggerate how long a "just-discovered" breach has … Continue reading A quick thought on moral hazard
We were worried this was going to happen. So much so that we flagged it in our October newsletter. This is section 25 of the European Commission's current draft contingency plan for a no-deal Brexit: Personal data25 In the case of a no deal scenario, as of the withdrawal date, the transfer of personal data … Continue reading Well, there you go. We’re inadequate.
UKDPA 2018 says: 171 Re-identification of de-identified personal data (1) It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. (2) For the purposes of this section and section 172— (a) personal data is “de-identified” … Continue reading Advertising cookies and the law
That's how much companies in the UK have been fined over the past 12 months for data breaches and contraventions of data protection law. Sounds like a lot - or maybe it doesn't, given how frequently data breaches are in the news. There's a reason for that. Of the £21.5m, 76% is one fine. Not … Continue reading £21,474,000.00
A bigger picture 