Another Day; Another Police Data Breach  

The largest police force in the UK, the London Metropolitan Police (also known as the London Met), has fallen victim to a substantial data breach. Approximately 47,000 members of the police staff have been informed about the potential compromise of their personal data. This includes details such as photos, names, and ranks. The breach occurred when criminals targeted the IT systems of a contractor responsible for producing staff identification cards.

While this breach has raised concerns about the security of sensitive information, it is important to note that details like identification numbers and clearance levels might have been exposed as well. However, it has been confirmed that the breached data did not include home addresses of the affected Met police personnel. There are fears that organised crime groups or even terrorist entities could be responsible for this breach of security and personal data.

Furthermore, the breach has amplified security apprehensions for London Met police officers from Black, Asian, and Minority Ethnic backgrounds. Former London Met Police Chief Superintendent Dal Babu explained that individuals with less common names might face a heightened risk. Criminal networks could potentially locate and target them more easily online, compared to those with common names. This concern is particularly relevant for officers in specialised roles like counter-terrorism or undercover operations.

Reacting to this situation, former Met commander John O’Connor expressed outrage, highlighting concerns about the adequacy of the cyber security measures put in place by the contracted IT security company, given the highly sensitive nature of the information at stake.

This incident presents a significant challenge to the UK Home Office, and it is likely that the government will be compelled to swiftly review and bolster security protocols. This step is necessary to ensure that the personal data of security service personnel is safeguarded with the utmost levels of privacy and data security. Both the Information Commissioner’s Office (ICO) and The National Crime Agency have initiated investigations.

This follows the data breach of the Police Service of Northern Ireland (PSNI) where, in response to a Freedom of Information request, the PSNI mistakenly divulged information on every police officer and member of police staff. Over in England, Norfolk and Suffolk Police also recently announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FOI request. Last week, South Yorkshire Police referred itself to the information commissioner after “a significant and unexplained reduction” in data such as bodycam footage stored on its systems, a loss which it said could affect some 69 cases.

These incidents underscore the urgency of maintaining robust data protection measures and raising awareness about potential risks, especially within law enforcement agencies. It also requires Data Controllers to ensure that they have processes in place to comply with the requirements of GDPR (Article 28) when it comes to appointing Data Processors.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security.

Ibrahim Hasan’s BBC Radio Ulster Interview about the PSNI Data Breach 

Today, Ibrahim Hasan gave an interview to BBC Radio Ulster about the the Police Service of Northern Ireland’s (PSNI) recent data breach. In response to an FOI request, PSNI shared names of all officers and staff, where they were based and their roles. Listen below. More about the PSNI and the Electoral Commission data breaches here.

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. Our Data Mapping workshop is proving very popular with IG and DP Officers who wish to develop this skill.

Data Flow Mapping: An Essential Skill for Data Protection Professionals 

Among essential skills for data protection professionals to develop is data flow mapping. In this blog post we explore the significance of this important skill and some useful tools to get  started. 

What is Data Flow Mapping? 

Data flow mapping is a systematic process that enables organisations to visualise the flow of personal data within their systems and networks.
It involves identifying the sources of data, the purposes for which it is processed, the entities with access to the data, and any transfers of data to third parties. By creating a visual representation of data flows, data protection professionals can gain a clear understanding of how personal data moves throughout the organisation and beyond. This knowledge is essential for effective risk assessment, Data Protection Impact Assessments (DPIAs) and compliance with other regulatory requirements. 

The Benefits of Data Flow Mapping 

Data flow mapping serves as a foundation for creating a comprehensive data inventory. It enables organisations to document all types of personal data they collect, process, store, and share. This inventory provides transparency and visibility into data processing activities, allowing for better management and control of personal data.  

The UK GDPR and the Data Protection Act 2018 impose strict obligations on organisations to protect personal data and ensure lawful processing.
Data flow mapping facilitates compliance by identifying areas where data protection measures need strengthening or adjustment.
It helps organisations determine whether they have a valid legal basis for processing personal data, obtain appropriate consents, and implement adequate security measures. Mapping data flows ensures compliance with the principles of lawfulness, fairness, and transparency, as well as data minimisation and purpose limitation. It will also assist in the production and maintenance of a Record of Processing Activity (ROPA) under Article 30 of the UK GDPR.  

Understanding the personal data landscape also helps organisations identify data subjects’ rights and obligations associated with each type of data. Data flow mapping enables organisations to respond effectively to data subject requests, such as access, rectification, and erasure.
By understanding the data flows, organisations can locate the relevant data and fulfil their obligations within the required timeframes.
This transparency empowers individuals to exercise their rights and fosters trust between organisations and data subjects. Furthermore, data flow mapping enhances transparency by providing a clear overview of how personal data is used and shared, enabling organisations to communicate their data processing practices accurately. 

In the event of a personal data breach or security incident, data flow mapping becomes a valuable asset for efficient incident response and management. It allows organisations to identify the affected data, assess the potential impact, and take appropriate measures to mitigate harm.
By understanding data flows, organisations can implement data breach response plans tailored to the specific types of data involved.
Proactive incident response minimizes the risk of data breaches and ensures compliance with legal obligations, including notification requirements and remedial actions. 

A data flow map is a powerful tool for identifying potential risks and vulnerabilities in data processing activities. It assists in assessing the security measures in place, evaluating the legal basis for data processing, and ensuring that data transfers, particularly international transfers, comply with relevant regulations. By understanding the risks, organisations can implement appropriate safeguards and mitigation strategies to protect personal data from unauthorised access, loss, or misuse. 

Effective data governance and accountability within organisations is greatly increased when data flow mapping is used. It promotes a holistic understanding of data processing activities, including the roles and responsibilities of individuals involved. This knowledge facilitates the establishment of appropriate policies, procedures, and internal controls to protect personal data. It also enables organisations to demonstrate accountability by showing regulators, stakeholders, and customers that they have implemented necessary measures to protect personal data and comply with legal requirements. 

Data Flow Mapping Tools 

While the process can be complex, there are several publicly available tools that can assist in simplifying data flow mapping. 

Lucidchart is a popular cloud-based diagramming tool. With its intuitive interface and drag-and-drop functionality, users can easily create visual representations of data flows. There are various templates and shapes specifically designed for data flow mapping, allowing organizations to quickly map out their data processing activities. Lucidchart also supports collaboration, enabling multiple team members to work together on data flow diagrams in real-time.  

Microsoft Visio is a widely used diagramming tool that includes features for data flow mapping. It has an extensive library of shapes and templates and offers various connectors and layout options to ensure clear and comprehensive representations of data flows. Visio also allows for easy linking of data flow diagrams to relevant documentation and policies.
As part of the Microsoft Office suite, Visio integrates seamlessly with other Microsoft products, making it a convenient choice for organisations already using Microsoft solutions. is a free, open-source diagramming tool that offers an intuitive interface for creating data flow diagrams. Users can save their diagrams locally or in cloud storage platforms such as Google Drive and OneDrive. is highly customizable, allowing users to tailor their data flow diagrams to their specific needs. While it may not have as many advanced features as some other tools, remains a practical option for organisations seeking a free and straightforward solution for data flow mapping. 

Data flow mapping is a critical skill for data protection professionals in the UK. By mapping data flows, organisations can create comprehensive data inventories, identify and mitigate risks, facilitate compliance, respond to data subject requests, and manage data breaches effectively.
As data becomes increasingly valuable and personal privacy gains greater significance, mastering the skill of data flow mapping is an essential step toward maintaining trust, building robust data protection frameworks, and ensuring the security and integrity of personal data. Data protection professionals who acquire this skill will be well-equipped to navigate the complex landscape of data protection and play a crucial role in upholding individuals’ privacy rights in the digital age.  

Sharpen your data flow mapping skills by joining our nextData Flow Mapping workshop. By the end you will understand the key concepts of data flow mapping, the benefits of this work and how to develop and implement a data flow mapping process in your organisation.

The New EU Data Governance Act

On 17th May 2022, The Council of the European Union adopted the Data Governance Act (DGA) or Regulation on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (2020/0340 (COD) to give its full title. The Act aims to boost data sharing in the EU allowing companies to have access to more data to develop new products and services. 

The DGA will achieve its aims through measures designed to increase trust in relation to data sharing, creating new rules on the neutrality of data marketplaces and facilitating the reuse of public sector data. The European Commission says in its Questions and Answers document

The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges“.


The DGA will increase the amount of data available for re-use within the EU by allowing public sector data to be used for purposes different than the ones for which it was originally collected. The Act will also create sector-specific data spaces to enable the sharing of data within a specific sector e.g. transport, health, energy or agriculture.

Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording” that is held by public sector bodies and which is not subject to the Open Data Directive but is subject to the rights of others. Examples include data generated by GPS and healthcare data, which if put to productive use, could contribute to improving the quality of services. The Commission estimates that the Act could increase the economic value of data by up to €11 billion by 2028.

Each EU Member State will be required to establish a supervisory authority to act as a single information point providing assistance to governments. They will also be required to establish a register of available public sector data. The European Data Innovation Board (see later) will have oversight responsibilities and maintain a central register of available DGA Data. 

On first reading the DGA seems similar to The Re-use of Public Sector Information Regulations 2015 which implemented Directive 2013/37/EU. The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. However the DGA goes much further. 

Data Intermediary Services 

The European Commission believes that, in order to encourage individuals to allow their data to be shared, they should trust the process by which such data is handled. To this end, the DGA creates data sharing service providers known as “data intermediaries”, which will handle the sharing of data by individuals, public bodies and private companies. The idea is to provide an alternative to the existing major tech platforms.

To uphold trust in data intermediaries, the DGA puts in place several protective measures. Firstly, intermediaries will have to notify public authorities of their intention to provide data-sharing services. Secondly, they will have to commit to the protection of sensitive and confidential data. Finally, the DGA imposes strict requirements to ensure the intermediaries’ neutrality. These providers will have to distinguish their data sharing services from other commercial operations and are prohibited from using the shared data for any other purposes. 

Data Altruism

The DGA encourages data altruism. This where data subjects (or holders of non-personal data) consent to their data being used for the benefit of society e.g. scientific research purposes or improving public services. Organisations who participate in these activities will be entered into a register held by the relevant Member State’s supervisory authority. In order to share data for these purposes, a data altruism consent form will be used to obtain data subjects’ consent.

The DGA will also create a European Data Innovation Board. Its missions would be to oversee the data sharing service providers (the data intermediaries) and provide advice on best practices for data sharing.

The UK

Brexit means that the DGA will not apply in the UK, although it clearly may affect UK businesses doing business in the EU. It remains to be seen whether the UK will take similar approach although it notable that UK proposals for amending GDPR include “amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.”

The DGA will shortly be published in the Official Journal of the European Union and enter into force 20 days after publication. The new rules will apply 15 months thereafter. To further encourage data sharing, on 23 February 2022 the European Commission proposed a Data Act that is currently being worked on.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

%d bloggers like this: