Skip to main content


Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com
Recent posts

The New EU Data Protection Directive

With the coming into force of EU data protection legislation and the rising reputational and regulatory risks from data breaches, please see below a data compliance checklist, which we hope your organisation or business will find useful.  NOTIFICATION Business registered with the Information Commissioner’s Office? If registered, is entry up to date/relevant/wide enough to cover future uses? COMPLIANCE WITH DATA PROTECTION PRINCIPLES What personal information is held and why Is the information collected necessary for the purposes for which it is held? How is accuracy of personal information checked? How is information kept up to date? How long is information held? Where is information held? If on servers, where are servers based? Is the information secure? What staff have access to the information and why? Is the information disclosed to any third parties? What details are provided when information is collected? POLICIES Have staff been trained i

Ten Questions to Ask Your Cloud Provider

The use of cloud computing is on an exponential rise, as it offers users almost unlimited storage of data, reduces the need for organisations to have physical servers and allows easy access to information from anywhere in the world. As such, many UK based organisations are now turning to cloud computing to satisfy their data storage needs. But there is one issue which seeks to bring grey clouds over an otherwise silver lining and that is data security . By using the cloud instead of a physical storage device, organisations are obliged to hand over data to a third party cloud provider, some or all of which might be personal data within the meaning of the Data Protection Act. An organisation must therefore be sure, before it enters into a contract with a cloud provider, that its information will be kept securely and the provider’s handling of data will be compliant with the Act and any other applicable laws. Before you embark upon acquiring a business which uses cloud computing o


The Head of Cyber Security at the Department for Business, Innovation and Skills (BIS) has warned that security breaches have reached an all time high, with 93% of larger businesses suffering a security breach within the last year and 87% of smaller businesses being similarly affected, a jump of 76% since 2012.  Often the breach is not always from the outside: many of these breaches are staff related. Costs to remedy these breaches can range from a few thousand pounds to hundreds of thousands when the breach affects the reputation of the business, for instance, if it is publicised. A survey carried out by BIS showed that the cost to smaller businesses was on average between £35,000-£65,000, whilst that for large businesses ranged from £450,000-£850,000. One company in London last year was estimated to have lost £800m in revenue from a cyber attack. Law firms are no exception when it comes to cyber attacks.  In many ways, they are a greater target, as they store large amoun

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w

Jail Sentences for Data Protection Offenders

The House of Commons' Home Affairs Select Committee are encouraging the Home Secretary to introduce jail sentences as a possible punishment for data protection offenders. This is to act as a stronger deterrent than the current, quite ineffective fines.  It is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data", under Section 55 of the Data Protection Act (DPA). But now, personal data has never been easier to access and the risks of information being leaked are an increasing concern. There are many new suppliers of information who are unlikely to understand or take notice of the rules to which they must comply. While the maximum fine for committing a section 55 offence is £5,000 when the case is heard in a Magistrates Court, and unlimited when

Torbay Care Trust Fined For Data Protection Breaches

As a result of breaching data protection laws, the Torbay Care Trust has been fined £175,000 by the ICO. A spreadsheet containing "sensitive" information about the employees' religion and sexuality; as well as names, dates of birth and national insurance numbers was published on to their website. The ICO said that such information was likely to cause substantial damage and/or distress to those who had had their details exposed. What is more, head of enforcement with the ICO, Stephen Eckersley, highlighted that the release of such information put staff at risk of being victims of identity fraud. The breach only came to light when a member of the public reported it 19 weeks after it was posted, the ICO said. The Data Protection Act (DPA) requires organisations to exercise the appropriate organisational measures to eliminate the risk of such sensitive information being used without authorisation. This includes the need to have "effective policies and procedures