Data protection

Snapshot

ICO guidance on contracts and liabilities between controllers and processors

08 April 2019

What are the contractual liabilities and requirements of a data processor and a data controller under the GDPR?

Read more
Snapshot

ICO guidance on encryption and use of passwords in online services

08 April 2019

How can data controllers and processers improve their security measures?

Read more
Snapshot

ICO updates its guidance on data protection impact assessments

08 April 2019

When should a data controller conduct a Data Protection Impact Assessment (DPIA)?

Read more
Snapshot

Video recordings and the journalistic exemption

08 April 2019

Does making a video recording on a digital camera constitute the processing of personal data? Can individuals benefit from the “journalistic exemption”?

Read more
Snapshot

Does a Facebook Like button on your website make you a data controller?

08 April 2019

If the operator of a website embeds a third party plugin (such as the Facebook Like button), does this make it a joint data controller with Facebook?

Read more
Snapshot

European Data Protection Board launches consultation on the territorial scope of the GDPR

08 April 2019

When will processing by a data controller or data processor fall within the territorial remit of the GDPR?

Read more
Snapshot

Bupa fined for systemic data protection failures

20 December 2018

What if an employee goes rogue with your personal data? Will you be able to show effective oversight measures including monitoring of employee access to databases?

Read more
Snapshot

Equifax fined £500,000 for data breach of 15m UK customers

20 December 2018

Had Equifax taken adequate and effective measures to protect customer data?

Read more
Snapshot

Facebook ordered to reveal who requested deletion of deceased’s profile – Sabados v Facebook Ireland

20 December 2018

Where a social media company has completed a request from an unknown person to delete a deceased’s profile and refused to tell the deceased’s partner, can a Norwich Pharmacal order be used to disclose the identity?

Read more
Snapshot

"Google You Owe Us” class action blocked – Richard Lloyd v Google LLC

20 December 2018

Do you need to show relevant damage for a claim under the Data Protection Act 1998 (DPA)? Can a class action succeed if the members of the class cannot be readily ascertained or be said to share the same interest? Put another way, what are the restrictions on bringing an action for damages under the DPA?

Read more
Snapshot

ICO Calls for views on GDPR update to Direct Marketing Guide

20 December 2018

What should we expect from the ICO’s updated Direct Marketing Guide?

Read more
Snapshot

Ireland’s Data Protection Commission launches investigation into Facebook’s data breach

20 December 2018

On 28 September, Facebook disclosed that hackers had stolen keys that allowed them to access up to 50m user accounts with the potential for a further 40m which may have been compromised. The hack allowed the hackers to use the accounts as their own, reading and writing private messages and posts.

Read more
Snapshot

Various Claimants v WM Morrisons Supermarket PLC

20 December 2018

Can a business be held vicariously liable for the actions of an employee who deliberately breaches its data protection policies and data protection law?

Read more
Snapshot

Six month imprisonment in first ICO computer misuse act prosecution

20 December 2018

Is the Information Commissioner’s Office (ICO) extending the scope and severity of its enforcement powers?

Read more
Snapshot

What if there’s no Brexit deal?

20 December 2018

Where does a no deal scenario leave our obligations under EU data protection principles?

Read more
Snapshot

Media reporting restricted after Sir Cliff Richard decision

24 September 2018

In what instances can journalists name the suspect of a police investigation? Do such suspects have a "reasonable expectation of privacy"?

Read more
Snapshot

European Parliament calls for suspension of Privacy Shield

24 September 2018

Is the EU-US Privacy Shield in danger?

Read more
Snapshot

Yahoo! fined for failure to implement intra-group processing agreement

24 September 2018

With the arrival of the GDPR, the focus on third party data processing agreements and ensuring they have the relevant controls in place has never been more intense. But how much do businesses need to focus on their intra-group processing agreements?

Read more
Snapshot

UK's data retention powers incompatible with EU Law

09 August 2018

Are the UK security services' data retention powers compatible with the new privacy regime under EU Law?

Read more
Snapshot

Administrator of Facebook fan page held to be data controller

09 August 2018

Is the administrator of a fan page on Facebook a "controller" for the purposes of the Data Protection Directive (95/46/EC) (DPD)?

Read more
Snapshot

ICO draft guidance: legitimate interests as a lawful basis for processing

09 August 2018

The GDPR significantly alters the balance of obligations, responsibilities and liabilities for controllers and processors of data. It mandates that a processor must have a lawful basis for the processing of data. However There are some impactful changes, particularly when looking to rely on legitimate interests as the lawful basis upon which a processor intends to process data.

Read more
Snapshot

ICO draft guidance: Data Protection Impact Assessments

09 August 2018

When and how should a data controller conduct a Data Protection Impact Assessment (DPIA) under the GDPR?

Read more
Snapshot

Fine for theft of employer’s personal data

09 August 2018

Can departing employees be fined for stealing their employer's personal data? Even if the theft is relatively "minor"?

Read more
Snapshot

The new data protection fee

09 August 2018

From 25 May 2018, as part of the revamp by the General Data Protection Regulation (GDPR), the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force. Amongst other things, these regulations change the way the ICO fund their data protection work.

Read more
Snapshot

ICO guidance: “consent is not the silver bullet for GDPR compliance”

09 August 2018

The ICO reiterated that organisations do not necessarily need to obtain fresh consent from all of their customers in order to comply with GDPR.

Read more
Snapshot

WP29 revised guidelines: personal data breach notification

09 August 2018

When should a data controller or processor notify a personal data breach?

Read more
Snapshot

Article 29 Working Party publishes guidelines on data breach notifications under the GDPR

11 April 2018

What data notification procedures should data controllers and processors have in place by 25 May 2018?

Read more
Snapshot

Article 29 Working Party adopts guidelines on Data Protection Impact Assessments

11 April 2018

When should a data controller conduct a Data Protection Impact Assessment (DPIA)?

Read more
Snapshot

Article 29 Working Party publishes guidelines on consent under the GDPR

11 April 2018

What exactly are the higher standards of consent under the GDPR?

Read more
Snapshot

Article 29 Working Party publishes draft guidelines on transparency under the GDPR

11 April 2018

In accordance with the GDPR's new obligation of transparency, what do the WP29 draft guidelines suggest you put in your organisation's privacy policy and other privacy notices?

Read more
Snapshot

Court of Appeal declares the Data Retention and Investigatory Powers Act 2014 unlawful

11 April 2018

Is section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) inconsistent with EU law?

Read more
Snapshot

ICO fines Carphone Warehouse £400,000 following systemic data failures

11 April 2018

Need an example of how not to protect your customers' and employees' data? Then, read on!

Read more
Snapshot

ICO publishes draft guidance on children and the GDPR

11 April 2018

What extra requirements must be met when processing the personal data of a child under the GDPR?

Read more
Snapshot

Vicarious liability for deliberate data breaches

11 April 2018

Can a business be held vicariously liable for the actions of an employee who deliberately breaches its employer's data protection policies and data protection law?

Read more
Snapshot

Updates to the draft ePrivacy Regulation

18 December 2017

On 19 October 2017, the European Parliament approved a revised draft of the ePrivacy Regulation. Though still subject to negotiation, it introduces a number of important changes, and deserves careful study by every online communications business.

Read more
Snapshot

Are Model Contract Clauses (or “Standard Contract Clauses” – SSCs) valid under EU data protection law?

18 December 2017

Irish High Court asks CJEU to rule on validity of Model Contract Clauses (Schrems II)

Read more
Snapshot

ICO issues TalkTalk monetary penalty notice for £100,000

18 December 2017

On 7 August 2017, the Information Commissioner’s Office fined TalkTalk £100,000 after an investigation found that it had failed to take adequate security measures to protect customer data from unauthorised access via web-based portal.

Read more
Snapshot

ICO issues draft guidance on contracts between data controllers and data processors

18 December 2017

What must be included within a contract between a data controller and a data processor to ensure compliance with the General Data Protection Regulation (GDPR)?

Read more
Snapshot

How will GDPR affect the world of internet policy and systems of domain name registration?

18 December 2017

Data protection - ICANN/WHOIS and the GDPR

Read more
Snapshot

No ICO notifications but fees continue under GDPR

18 December 2017

The Information Commissioner’s Office (ICO) has provided guidance as to how its notificationand fee regime will change when the General Data Protection Regulation (GDPR) comes into force in May 2018.

Read more
Snapshot

ICO issues fines for emails asking customers to change marketing preferences

25 September 2017

The ICO has fined Moneysupermarket.com and Morrisons Supermarket a total of £90,500 for emails sent to customers who had previously opted out of marketing messages.

Read more
Snapshot

ICO fines Boomerang Video Ltd for failure to prevent cyber attack

25 September 2017

On 27 June 2017, the Information Commissioner's Office (ICO) fined Boomerang Video Ltd (Boomerang) £60,000 after an investigation found that the SME had failed to take basic steps to stop its website being attacked.

Read more
Snapshot

ICO publishes updated Subject Access Code of Practice

25 September 2017

How should data controllers respond to subject access requests (SARs)?

Read more
Snapshot

Data Protection Working Party adopts Opinion 2/2017 on data processing at work

25 September 2017

How do new technologies affect the balance between employers and employees in the debate over legitimate data monitoring interests vs the privacy expectations of individuals?

Read more
Snapshot

Government publishes the Data Protection Bill

25 September 2017

The UK government published the Data Protection Bill (Bill) on 14 September 2017. The Bill will replace the Data Protection Act 1998 (DPA) and transfer the General Data Protection Regulation (GDPR) into domestic law (with a few derogations, as discussed below). Post-Brexit, the Bill will continue to regulate data protection in the UK.

Read more
Snapshot

ICO revised code of practice for dealing with subject access requests

12 June 2017

The ICO has recently published a revised Code of Practice on subject access requests (SARs).

Read more
Snapshot

ICO guidance on consent under the GDPR – the latest

12 June 2017

The Information Commissioner’s Offce (ICO) ran a consultation on the draft guidance on consent under the General Data Protection Regulation (GDPR) this springtime.

Read more
Snapshot

The march of the SARs: Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74; and Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University [2017] EWCA Civ 121

12 June 2017

When can legal professional privilege (LPP) be used to block a subject access request (SAR)? And when can the “disproportionate effort” exemption be used to block a SAR?

Read more
Snapshot

ICO issues fines for emails seeking consent to marketing

Published on 12 June 2017. By Adam Forster, Senior Associate

The ICO has fined Flybe and Honda a total of £83,000 for emails sent to customers to obtain consent to future marketing messages.

Read more
Snapshot

RSA: ICO issues £150,000 fine

20 March 2017

The ICO has fined Royal & Sun Alliance (RSA) £150,000 for losing the personal information of nearly 60,000 customers.

Read more