Category: Data Protection

Is Data Still ‘Personal’ if the Recipient Cannot Identify the Data Subject? 

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

The case will now return to the FTT to apply the Court of Appeal’s interpretation of the law to the facts of the DSG cyberattack. 

Listen to the Guardians of Data Podcast for the latest news and views on data protection, cyber security, AI and freedom of information.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop.

Prince Andrew: The Data Protection Angle 

Over the weekend, the Mail on Sunday piled more pressure on Prince Andrew.  

It alleged that he asked his police protection officer to investigate his accuser, Virginia Giuffre,  just before the newspaper published a photo of Ms Giuffre’s first meeting with the prince in February 2011. The Mail alleges that Prince Andrew gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he “sought to dig up dirt” on Ms Giuffre. 

Ms Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Prince Andrew has consistently denied all allegations against him. 

The Metropolitan Police said on Sunday, “We are aware of media reporting and are actively looking into the claims made.” Of course we don’t have detailed information about the circumstances around latest allegations against Prince Andrew, but (if true) there is a possible breach of Section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:  

(a) obtain or disclose personal data without the consent of the controller,  

(b) procure the disclosure of personal data to another person without the consent of the controller, or  

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

So if the latest allegations are true, Prince Andrew and/or his police protection officer at the time, could have committed a criminal offence under the DPA 2018. Unlike the other allegations against him, this offence does not carry a prison term; just a fine. Successive Information Commissioners have argued that a custodial sentence under S.170 would be a better deterrent (but to no avail).  

Will the Information Commissioner’s Office be knocking on Prince Andrew’s door? In June 2023, the ICO disclosed that, since 1stJune 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. There have been a number of more recent S.170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.  

Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025. 

When Ignoring a GDPR Subject Access Request Becomes a Crime 

In March 2025,  the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 
This is the ICO’s usual practice when it comes to complaints about SARs. However recently it went a step further and issued criminal proceedings against a company director. 

Section 173 of the Data Protection Act 2018 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” Both the Data Controller can be prosecuted as well as “a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.” 

On 3rd September 2025, the director of a care home in Bridlington was found guilty of an offence under S.173.  Jason Blake, 56, was found to have blocked, erased, or concealed records held by Bridlington Lodge Care Home between 12th April and 12th May 2023 to prevent information being disclosed.     

The background to the case is as follows: In April 2023, a woman requested personal data about her father from Bridlington Lodge Care Home.  She had the authority to do so due to a lasting power of attorney. The personal data requested included incident reports, copies of CCTV footage and notes relating to her father’s care.   

After Mr Blake refused to respond to the request, a complaint was made to the ICO. During the investigation, Mr Blake did not provide any explanation about why his organisation would not respond to the SAR. The court ordered him to pay a fine of £1,100 and additional costs of £5,440. 

This prosecution, possibly the first of its kind, is a warning to employees and directors of Data Controllers to ensure that they have systems in place to respond to SARs in a timely manner. Failure to do so could lead to personal liability and a criminal record.  

There is potentially more subject access court drama to come. In March the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Nigel Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of subject access requests and is seeking damages on behalf of the data subjects. This is the first case in the UK under Article 80(1) of the UK GDPR, which allows data subjects to mandate a body or organisation to act on their behalf to lodge complaints, exercise data protection rights, and seek compensation for infringements of their data protection rights. 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Retail Under Siege Through AI Enabled Cyber Attacks 

The UK retail sector has come under siege in 2025, with an unprecedented wave of cyber attacks. After the Ticketmaster breach in 2024 where millions of users were affected, one would assume retailers had taken note. However, From Marks & Spencer to Louis Vuitton, companies large and small are grappling with relentless, tech-enhanced intrusions that threaten customer trust and digital resilience. It’s almost a daily occurrence these days receiving an email from a company apologising for a data breach. There also seems to be no retailer safe regardless of their size or stature. Sometimes it is a retailer that you may not have even shopped with for a number of years at which point I’m sure you must be thinking, ‘What’s their data retention policy?’ 
 
Below we take a look at some of the major breaches and attacks of 2025 and what you can do to protect your information online. 

High-Profile Retail Cyberattacks of 2025 

Here’s a snapshot of the most disruptive recent cyber incidents: 

Company Date Attack Type Impact & Highlights 
Louis Vuitton UK July 2025 Data breach Customer contact details & purchase history stolen; phishing scams followed 
Marks & Spencer April 2025 Ransomware £3.8M/day in lost revenue; £700M market value wiped; credential theft via vendor 
Harrods May 2025 Attempted breach Real-time containment; no confirmed data loss but serious operational disruption 
Co-op UK May 2025 Ransomware Customer data compromised; back-office systems disabled 
Peter Green Chilled May 2025 Ransomware Disrupted cold-chain deliveries to Tesco, Aldi, Waitrose 
Victoria’s Secret Spring 2025 Web attack E-commerce platform outage during peak shopping period 

These incidents underscore one clear truth: cybercrime is evolving, and no retailer, no matter its size or prestige, is immune. What is worrying is, companies with infinite resources are still extremely vulnerable. 

The Role of AI  

In many of these data breaches, AI was used by hackers to accelerate and deepen the damage. Their tactics included: 

  • Hyper-Personalised Phishing: AI-generated messages mimicked trusted communications, referencing recent purchases to trick recipients. Louis Vuitton customers received convincing fake discount offers. 
  • Credential Cracking and MFA Bypass: AI automated brute-force login attacks, while adversary-in-the-middle techniques stole session tokens to sidestep multi-factor authentication. 
  • Network Reconnaissance: Malicious bots used AI to scan retail systems, identify vulnerabilities, and map out supply chains for deeper impact. 
  • Autonomous Ransomware: Sophisticated strains like DragonForce adapted in real time to avoid detection and self-propagate through connected systems. 
  • Voice Phishing (Vishing): AI-generated voices impersonated IT staff to deceive employees into disclosing access credentials; a tactic especially potent in luxury retail. 

AI has supercharged cybercrime, making attacks faster, more targeted, and far harder to detect. With the emergence of (RaaS) ransomware as a service and (DLS) there is now a marketplace for our data that is much more accessible. 

How Consumers Can Protect Their Data 

While companies bear the financial burden of breaches, consumers often suffer the most; through stolen data, financial fraud, and disrupted services. Lessons for consumers include: 

  • Even luxury brands are vulnerable – don’t assume prestige equals protection. 
  • Cyberattacks are increasingly tailored based on what you buy, how often you shop, and where you live. 
  • Supply chains and vendor access are weak points; your data might be exposed even if the retailer itself isn’t directly breached. 

Whether you shop in-store or online, these simple steps can dramatically improve the security of your personal data: 

Digital Defence 

  • Use Strong, Unique Passwords: A password manager can help you avoid reuse and weak combinations. 
  • Enable Multi-Factor Authentication: Critical for accounts tied to payments or personal information. 
  • Monitor Your Financial Activity: Check bank statements and credit reports for irregularities. Set up alerts where possible. 
  • Be Phishing-Aware: Always verify communications by visiting the retailer’s official website. Don’t click suspicious links or download unexpected attachments. 
  • Don’t Save Your Payment Data: If you can avoid saving your payment/address details with a retailer online then always avoid.  

Data Discipline 

  • Limit the Personal Data You Share: Don’t offer extra details to loyalty schemes or retailers unless absolutely necessary. 
  • Freeze Your Credit (If Breached): Prevent identity thieves from opening new accounts using your stolen details. 

Payment Hygiene 

  • Use Credit Cards Online: They offer better fraud protection and don’t expose your actual bank balance. In addition, you have certain buyer protections when buying on credit card
  • Avoid Public Wi-Fi for Shopping: Use a VPN or shop from secure, private networks. 

The digital age has made shopping easier; but also riskier. Cybersecurity now requires a partnership between retailers and consumers. Companies must implement
zero-trust architectures. AI-powered threat detection and employee cyber-awareness training. Meanwhile, consumers should stay informed, cautious, and quick to respond when their personal data is at risk. 

According to Stanford University’s recent study, human error accounted for 88% of data breaches and a recent Accenture study found that there has been a 97% increase in cyber threats since the start of the Russia/Ukraine war.  
 
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. 

The MoD Afghan Data Breach: Could the Information Commissioner have done more? 

On Tuesday, the High Court lifted a superinjunction that prevented scrutiny of one of the most serious personal data breaches involving a UK Government department. In February 2022, a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP).  

The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m. Interesting that that the High Court in May 2024 heard it could cost “several billions”. 

Shockingly, people whose details were leaked were only informed on Tuesday. A review of the incident carried out on behalf of the MoD found it was “highly unlikely” an individual would have been targeted solely because of the leaked data, which “may not have spread nearly as widely as initially feared”. On Wednesday though, the Defence Secretary said he was “unable to say for sure” whether anyone had been killed as a result of the data breach. The daughter of an Afghan translator whose details were leaked told the BBC that her whole family “panicked”.  

“No one knows where the data has been sent to – it could be sent to the Taliban, they could have their hands on it,” she said. Her grandmother, who is still in Afghanistan, is “completely vulnerable”, she added. 

This is not the first time the MoD has mishandled Afghan data. In December 2023, it was fined £350,000  for disclosing details of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. The MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles.  
Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.  

ICO’s Response 

Despite the scale and sensitivity of the latest MoD data breach, the Information Commissioner’s Office (ICO) has decided not to take any regulatory action; no, not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”. 

Compare this case to the data breach involving the Police Service of Northern Ireland (PSNI). Last year, the ICO fined the PSNI £750,000 after staff mistakenly divulged the surnames of more than 9,483 PSNI officers and staff, their initials and other data in response to a Freedom of Information (FoI) request. The request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety. 

In September las year it was announced that a mediation process involving the PSNI is to take place to attempt to agree the amount of damages to be paid to up to 7,000 staff impacted by the data breach. The final bill could be as much as £240m, according to previous reports. Compare that with the impact and cost of the latest MoD data breach. 

Other ICO enforcement actions in the past few years for security failures include: 

  • Cabinet Office (2020): Fined £500,000 for publishing New Year Honours list online. Cause? Spreadsheet error. 
  • HIV Scotland (2021): Fined £10,000 when it sent an email to 105 people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.   
  • Mermaids (2021): Fined £25,000 for failing to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.  

In the MoD case, the ICO claims it considered the “critical need to share data urgently” and the MoD’s “steps to protect those most affected”. But urgency wasn’t the issue; it was negligence. The breach occurred during routine verification, not a crisis. Even more concerning, the ICO’s own guidance states that breaches involving unauthorised disclosure of sensitive data, especially where lives are at risk, should trigger enforcement action. 

This lack of action by the ICO raises serious questions about the ICO’s independence and willingness to challenge government departments. Even if it felt a fine was not appropriate, a report to Parliament (under Section 139(3) of Data Protection Act 2018) would have highlighted the seriousness of the issues raised and consequently allowed MP’s to scrutinise the MoD’s actions.  

This breach is a national scandal; not just for its scale, but for the lack of transparency, accountability, and regulatory action. If the UK is serious about data protection, it must demand more from its regulator. Otherwise, the next breach may be even worse and just as quietly buried. 

Yesterday, the Commons Defence Committee confirmed it would launch its own inquiry, and Dame Chi Onwurah, chair of the Commons Committee for Science Innovation and Technology, said that it is writing to the Information Commissioner pushing for an investigation. Watch this space! 

STOP PRESS: This afternoon the BBC reports that the data breach was much worse than previously thought: it contained personal details of more than 100 British officials including those whose identities are most closely guarded – special forces and spies. Is an ICO u turn incoming?

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security.

£2.31 Million GDPR Fine for Genetic Testing Company. But will the fine be paid? 

The Information Commissioner’s Office (ICO) has fined a US genetic testing company £2.31 million under the UK GDPR following a 2023 cyber-attack. 

23andMe provides genetic testing for, amongst other things, health purposes and ancestry tracing. In 2023 a hacker carried out a credential stuffing attack on the company’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches. This resulted in unauthorised access to 155,592 UK residents’ personal data; potentially revealing sensitive data such as profile images, race, ethnicity, family trees and health reports. The type and amount of personal data accessed varied depending on the information included in a customer’s account. 

The investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company failed to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information. 

The ICO also found that 23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023.
In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.  

What happens now? 

The ICO has made much of this penalty and the joint investigation conducted with the Office of the Privacy Commissioner of Canada. John Edwards, the Information Commissioner, said: 

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.” 

The fine comes after an ICO statement in March which said that a Notice of Intent had been issued of £4.59 million. An almost 50% reduction but, whatever the amount of the fine, the ICO is unlike to see a penny.  

In April 23andMe filed for bankruptcy in the US courts. On Friday it said that it had agreed to the sale of its assets to a non-profit biotech organisation led by its
co-founder and former chief executive. It said the purchase of the company would come with binding commitments to uphold existing policies and consumer protections, such as letting customers delete their accounts, genetic data and opt out of research.
A bankruptcy court is scheduled to hear the case for its approval on Wednesday. 

This case is also a good example of  the extra territorial reach of the UK GDPR.  Article 3(2)(a) UK GDPR as although 23andMe is not established within the UK, it processes the personal data of the affected UK Data Subjects for the purposes of offering goods or services to those individuals. 

This is the third fine issued by the ICO in 2025. In April a £60,000 fine was issued to a law firm and in March an NHS IT supplier was fined £3million. Both also followed cyber-attacks.   

 We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop. 

DPO Required at Buckingham Palace 

Imagine answering “Buckingham Palace” when some asks you where you work! 

The Royal Household, the collective departments that support members of the British Royal Family, is looking for a Data Protection Manager. According to the job advert

“No two days will be the same and the unique nature and diversity of our information will challenge you. But you’ll have the opportunity to make an impact at the heart of this fascinating organisation.” 

Essential criteria include, amongst others, a relevant qualification in Data Protection, extensive practitioner experience within a complex organisation and broad knowledge of management processes and IT delivery. 

The salary is £50,000. If that does not persuade you, other benefits include 20% off the Royal Collection Trust Shops and complimentary admission tickets across all our locations! 

The deadline for applying is Sunday night (16/02/2025, 23:55). 

Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

The Data (Use and Access) Bill: All change or much of the same? 

On 23rd October 2024, the Labour Government introduced into Parliament the Data Use and Access Bill. The Bill was highlighted in the King’s Speech in July (under its old name of the “Digital Information and Smart Data Bill”) where his Majesty announced that there would be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies.” However this statement of intent does not match the reality; many of the Bill’s core provisions are a “cut and paste” of the Data Protection and Digital Information Bill (DP Bill), which failed to pass before last year’s snap General Election. 

Key Provisions 

Let’s examine the key provisions of the new Bill against those in the DP Bill. 

Smart Data: The new Bill retains the provisions from the DP Bill that will enable the creation of a legal framework for Smart Data. This involves companies securely sharing customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs will provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only current example of a regime that is comparable to a ‘Smart Data scheme’.
The new Bill will give such schemes a statutory footing, from which they can grow and expand.  

Digital Identity Products: Just like its predecessor, the new Bill contains provisions aimed at establishing digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services
e.g. to help with moving house, pre-employment checks and buying age restricted goods and services. It is important to note that this is not the same as compulsory digital ID cards as some media outlets have reported. 

Research Provisions: The new Bill keeps the DP Bill’s provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards.  

Legitimate Interests: The new Bill retains the concept of ‘recognised legitimate interests’ under Article 6 of the UK GDPR- specific purposes for personal data processing such as national security, emergency response, and safeguarding for which Data Controllers will be exempt from conducting a full Legitimate Interests Assessment when processing personal data.  

Automated Decision Making: Like the DP Bill, the new Bill seeks to limit the right, under Article 22 of the UK GDPR, for a data subject not to be subject to automated decision making or profiling to only cases where Special Category Data is used.
Under new article 22A, a decision would qualify as being “based solely on automated processing” if there was “no meaningful human involvement in the taking of the decision”. This could give the green light to companies to use AI techniques on personal data scraped from the internet for the purposes of pre employment background checks. 

International Transfers: The new Bill maintains most of the DP Bill’s international transfer provisions. There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR 

Health and Social Care Information: The new Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services. 

PECR Changes: One of the most significant changes, copied from the DP Bill, is the increase in fines for breaches of PECR, from £500,000 to UK GDPR levels; meaning organisations could face fines of up to  up to £17.5m of 4% of global annual turnover (whichever is higher) for the most serious infringements. Other changes include allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates.  

What is not in the new Bill? 

Most of the controversial parts of the DP Bill have been have not made it into the new Bill. These include: 

  • Replacing the terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, with “vexatious” or “excessive” requests. Explanation and examples of such requests would also have been included.  
  • Exempting all controllers and processors from the duty to maintain a ROPA, under Article 30, unless they are carrying out high risk processing activities.  
  • The “strategic priorities” mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner. 
  • The requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations.  

The Data Use and Access Bill, in its current form, will not fundamentally change UK data protection laws. This is unlikely to change during its passage through Parliament as most of its provisions are copied from the DP Bill introduced by those who are now the official Opposition.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Want more detail about the Bill and how it will affect your organisation? See our forthcoming  DUA Bill workshop. 

Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise. The course comprises of a rigorous set of engaging masterclasses that teach you to dissect complex data protection scenarios and give practical compliance advice. This immersive experience will empower you with the skills and confidence needed to tackle the most challenging data protection projects within your organisation 

ICO Reprimands Law Firm for GDPR Breach 

Last week, the Information Commissioner’s Office (ICO) issued a reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals. 

Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server.
The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web including  

  • Name, Address, Date of Birth
  • National Insurance Numbers 
  • Criminal data, including allegations, investigations, and prosecutions 
  • Details of complainants, victims (including children), and legally privileged information 
  • Prisoner Numbers, Health Status, and previous convictions 

A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved.
This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children. 

The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR: 

  • Article 32(1)(b): The need to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems. 
  • Article 32(1)(d): The requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. 

What Went Wrong? 

The ICO found that Levales Solicitors LLP failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyberattack (Article 32(1)(b)). Several critical issues were identified by the ICO: 

No Multi-Factor Authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access. 

Weak Password Management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk. 

Unknown Point of Compromise: Levales Solicitors LLP was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred. 

The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (Article 32(1)(d)). Notably: 

Outsourced IT Management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention, and monitoring systems in place with their third-party provider. 

Inadequate Contract Reviews: The ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up-to-date and appropriate. Levales had not reassessed their IT service contract since signing it, leaving potential vulnerabilities unchecked. 

The National Cyber Security Centre (NCSC) provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed. 

Despite these significant failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including: 

  • Introducing Multi-Factor Authentication (MFA) for all user accounts. 
  • Updating service contracts with third-party providers to ensure better security. 
  • Conducting a comprehensive review of existing systems and prioritising firewall upgrades. 

After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under Article 58(2)(b) of the UK GDPR.  

Key Takeaways  

The decision reflects the seriousness of the firm’s failings in securing sensitive personal data and underscores the importance of robust data security practices for all organisations, particularly those handling highly sensitive information. All businesses are advised to take the following steps to comply with GDPR requirements: 

  • Implement Multi-Factor Authentication (MFA) for all accounts to reduce the risk of credential theft. 
  • Ensure that password policies are robust and regularly reviewed. 
  • Review contracts with third-party service providers to confirm that appropriate security measures are in place and understood by both parties. 
  • Regularly assess and update security systems to ensure they remain effective against evolving cyber threats. 
  • Document and monitor the security measures in place, ensuring that they are tailored to the specific risks associated with the data being processed. 

This is not the first time that a law firm has been found to be in breach of GDPR.
In 2022 fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR.
The fine followed a ransomware attack on the firm’s IT systems which saw the attacker had encrypting 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.  

The ICO concluded that were a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate.
Amongst other things the lack of Multi-Factor Authentication was highlighted by the ICO. 

Data security is a cornerstone of GDPR compliance, and reprimand involving Levales Solicitors LLP highlights the potential consequences of not taking proper precautions. Organisations should treat this as a wake-up call to evaluate and strengthen their own data protection measures, particularly in areas where sensitive or high-risk data is involved. 

We have two workshops coming up (How to Increase Cyber Security in your OrganisationandCyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also ourManaging Personal Data BreachesWorkshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribingtoday! 

Sales Consultant Prosecuted  

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving S.170 offences (Data Protection Act 2018) were investigated by its Criminal Investigations Team. Section 170 makes it a criminal offence for a person to knowingly or recklessly: 

(a) obtain or disclose personal data without the consent of the controller, 

(b) procure the disclosure of personal data to another person without the consent of the controller, or 

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

Rogue workers accessing and abusing personal data for their own gain is a real risk for organisations with vast customer databases that have commercial value. There have been a number of S.170 prosecutions by the ICO recently. The latest involves a sales consultant at a car leasing company. 

On 17th September 2024, Alexander Doré pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for.
The information had been taken shortly before Doré resigned . He approached multiple competitor companies with this information, whilst claiming that it belonged to him. Doré was ordered to pay a fine of £1,200 and £300 costs. 

The Head of Investigations at the ICO, Andy Curry, said: 

“Customers put their trust in any number of organisations on a daily basis to use and store their data in a legal and appropriate way. Mr Doré took advantage of that trust, as well as the trust of his employers, by taking customer information that he then passed on to other companies, purely for his own financial gain. 

“It is with great thanks to Leaseline Vehicle Management Ltd that they brought Mr Doré’s wrongdoing to our attention, and we were able to investigate. 

“We hope this successful prosecution shows we will work with companies to bring those committing crimes to justice.” 

If a disgruntled or rogue employee commits an offence under section 170, might their employer also be liable for the consequences? The answer is in our recent blog which can be read here

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!