<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
>
    <channel>
                    <atom:link rel="alternate" hreflang="en-GB"
                       href="https://www.itpro.com/uk/feeds/tag/ico"
                       type="application/rss+xml"/>
                            <title><![CDATA[ Latest from ITPro UK in Ico ]]></title>
                <link>https://www.itpro.com/uk/tag/ico</link>
        <description><![CDATA[ All the latest ico content from the ITPro  UK team ]]></description>
                                    <lastBuildDate>Fri, 12 Dec 2025 11:00:01 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfolded ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/lastpass-hit-with-ico-fine-after-2022-data-breach-exposed-1-6-million-users-heres-how-the-incident-unfolded</link>
                                                                            <description>
                            <![CDATA[ The impact of the LastPass breach was felt by customers as late as December 2024 ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ATQvZUPYifcPMYGMgxGcJM</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/TTRshdPVbcc5tTxbndpFXc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Dec 2025 11:00:01 +0000</pubDate>                                                                                                                                <updated>Fri, 12 Dec 2025 11:01:06 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/TTRshdPVbcc5tTxbndpFXc-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[LastPass logo pictured on a smartphone screen alongside earbuds and car key.]]></media:description>                                                            <media:text><![CDATA[LastPass logo pictured on a smartphone screen alongside earbuds and car key.]]></media:text>
                                <media:title type="plain"><![CDATA[LastPass logo pictured on a smartphone screen alongside earbuds and car key.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/TTRshdPVbcc5tTxbndpFXc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Password manager provider <a href="https://www.itpro.com/security/information-security-infosec/370210/lastpass-breach-last-chance">LastPass</a> has been hit with a £1.2 million fine for failing to prevent a massive data breach.</p><p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner's Office (ICO)</a> found that a combination of two incidents over two days in August 2022 <a href="https://www.itpro.com/security/369776/lastpass-customer-password-vaults-stolen-targeted-phishing-attacks-likely">put more than 1.6 million customers at risk</a>. </p><p>According to the data protection watchdog, the company “failed to implement sufficiently robust technical and security measures”. </p><p>Commenting on the fine, information commissioner John Edwards said LastPass failed customers and “fell short” on expectations that the company would employ robust measures to protect personal data. </p><p>“<a href="https://www.itpro.com/software/368045/best-free-password-managers-in-2022">Password managers</a> are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use,” he said. </p><p>“However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced," Edwards added. </p><p>“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."</p><h2 id="the-lastpass-breach-explained">The LastPass breach explained</h2><p>The LastPass breach unfolded in two separate phases. In the first incident, a hacker compromised an employee’s corporate laptop and gained access to the company’s development environment. </p><p>While no personal information was taken, encrypted company credentials were - which, if decrypted, would allow access to the company’s backup database.</p><p><a href="https://www.itpro.com/software/368008/lastpass-vs-1password">LastPass </a>took steps to mitigate the hacker’s activity, but thought the encryption keys were safe, as they were stored in the account vaults of four senior employees, outside the area accessed by the hacker.</p><p>However, the next day, the hacker targeted one of these employees, gaining access to their personal device via a known vulnerability in a third-party streaming service.</p><p>The hacker then installed a keylogger, capturing the employee’s master password and bypassing <a href="https://www.itpro.com/security/cyber-security/369745/what-is-mfa-fatigue">multi-factor authentication (MFA)</a> using a trusted device cookie. This gave access to the employee’s personal and business LastPass vaults, which were linked using a single master password.</p><p>Thereafter, the threat actor gained access to the employee’s business vault, which contained the <a href="https://www.itpro.com/cloud/infrastructure-as-a-service-iaas/362608/what-is-aws">Amazon Web Service (AWS)</a> access key and decryption key. When combined with information taken the day before, this allowed the hacker to extract the contents of the backup database containing the customers' personal data.</p><h2 id="lastpass-zero-knowledge-system-prevented-disaster">LastPass’ ‘zero knowledge’ system prevented disaster</h2><p>As the ICO noted in its post-mortem of the incident, the threat actor responsible for the breach wasn't able to decrypt encrypted passwords and other credentials. </p><p>This was thanks to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass. </p><p>While this represented a reprieve for the company and users, the impact of the breach was felt by customers as late as December 2024. </p><p>A probe by crypto investigator ZachXBT found <a href="https://www.itpro.com/security/cyber-attacks/lastpass-breach-comes-back-to-haunt-users-as-hackers-steal-usd12-million-in-two-days">hackers stole $12.38 million in cryptocurrency from LastPass users</a> on 16 and 17 December 2024.</p><p>Chris Linnell, associate director of data privacy at Bridewell, said the ICO fine represents a “big moment” for the industry and highlights the need for more robust processes at password managers.</p><p>These platforms hold the keys to the castle for enterprises and consumers alike, and security practices at providers should reflect that. </p><p>"It’s not the largest penalty we’ve seen under John Edwards, but it definitely plays into public expectations - people trust password managers to keep them safe, so when they fall short, it makes headlines," he said.</p><p>"For service providers, this is a reminder that security isn’t just about the product itself. You need strong information security and privacy frameworks in place, and you can’t ignore the less obvious risks - backups, secondary databases, and other systems that attackers often target.”</p><h3 class="article-body__section" id="section-more-from-itpro"><span>MORE FROM ITPRO</span></h3><ul><li><a href="https://www.itpro.com/security/most-passwords-take-a-matter-of-minutes-to-crack-heres-how-you-can-create-strong-hacker-resistant-credentials">Most passwords take a matter of minutes to crack</a></li><li><a href="https://www.itpro.com/security/passwords-are-a-problem-why-device-bound-passkeys-can-be-the-future-of-secure-authentication">Passwords are a problem: why device-bound passkeys can be the future of secure</a></li><li><a href="https://www.itpro.com/security/how-to-create-a-secure-password-policy">How to create a secure password policy</a></li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 23andMe 'failed to take basic steps' to safeguard customer data ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/23andme-failed-to-take-basic-steps-to-safeguard-customer-data</link>
                                                                            <description>
                            <![CDATA[ The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">yw8vKBDbYqsBDoPRSWfvgc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Eozhztfgoq2M22qwAdkoAE-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 17 Jun 2025 13:45:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Eozhztfgoq2M22qwAdkoAE-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[23andMe logo displayed on an office building in Mountain View, California.]]></media:description>                                                            <media:text><![CDATA[23andMe logo displayed on an office building in Mountain View, California.]]></media:text>
                                <media:title type="plain"><![CDATA[23andMe logo displayed on an office building in Mountain View, California.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Eozhztfgoq2M22qwAdkoAE-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner's Office</a> (ICO) has slapped a fine of £2.31 million on genetic testing company <a href="https://www.itpro.com/security/data-breaches/23andme-risks-public-relations-disaster-as-it-blames-customers-for-data-breach">23andMe</a> for failing to protect customer data after a cyber attack. </p><p>The credential stuffing attack, which took place between April and September 2023, saw the exposure of the personal information of 155,592 UK residents. </p><p>The data exposed included names, birth years, location, profile images, race, ethnicity, family trees, and health reports. </p><p>At the time, the company was roundly criticized for appearing to blame users themselves for the breach. It wrote to customers saying they'd "failed to update their passwords following past security incidents unrelated to <a href="https://www.itpro.com/security/data-breaches/the-23andme-data-breach-is-getting-messier-by-the-day">23andMe</a>", and had "negligently recycled" login credentials from other accounts that were already exposed.</p><p>The ICO, though, takes a different view. </p><p>"This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number," said <a href="https://www.itpro.com/security/data-protection/you-must-do-better-information-commissioner-john-edwards-calls-on-firms-to-beef-up-support-for-data-breach-victims">information commissioner John Edwards</a>.</p><p>"23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm."</p><p>Specifically, the ICO found that 23andMe had failed to implement appropriate authentication and verification measures when customers logged in, including mandatory <a href="https://www.itpro.com/security/29982/what-is-two-factor-authentication">multi-factor authentication</a> (MFA) and strong passwords.</p><p>It also failed to put appropriate security measures in place to deal with access to and the downloading of raw genetic data.</p><p>Nor did it have the right measures in place to monitor for, detect, and appropriately respond to cyber threats to its customers' personal information.</p><p>"Strong data protection must be a priority for organizations, especially those that are holding sensitive personal information," said Philippe Dufresne, privacy commissioner of Canada, who collaborated with the ICO on the investigation. </p><p>"With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable."</p><p>As well as failing to protect customer data, 23andMe handled the attack badly, the authorities concluded. The hackers kicked off their credential stuffing attack in April 2023, ramping up efforts in May and attempting to initiate profile transfers in July. This didn't happen invisibly, with 23andMe's platform stopping working, leaving the company's users unable to access it.</p><p>However, said the ICO, "Despite 23andMe investigating this incident at the time, it failed to detect that this was part of a larger ongoing data breach."</p><p>It didn't start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.</p><p>In August, indeed, it even dismissed a claim of data theft affecting over 10 million users as a hoax.</p><p>23andMe has since filed for Chapter 11 bankruptcy in the US, with a sale hearing set for today. The ICO said it was monitoring the situation closely, pointing out that the protections and restrictions of the UK GDPR continue to apply.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuse ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/privacy/ai-recruitment-tools-are-still-a-privacy-nightmare-heres-how-the-ico-plans-to-crack-down-on-misuse</link>
                                                                            <description>
                            <![CDATA[ The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wQJFVT8dEwvNj6DLkTQ87i</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/BoxspQRwTLu8HAXk5Pnrd8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 08 Nov 2024 10:42:22 +0000</pubDate>                                                                                                                                <updated>Fri, 08 Nov 2024 10:43:24 +0000</updated>
                                                                                                                                            <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/BoxspQRwTLu8HAXk5Pnrd8-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Concept image showing a robotic hand dropping a man in a suit into the garbage, signifying AI recruitment tools.]]></media:description>                                                            <media:text><![CDATA[Concept image showing a robotic hand dropping a man in a suit into the garbage, signifying AI recruitment tools.]]></media:text>
                                <media:title type="plain"><![CDATA[Concept image showing a robotic hand dropping a man in a suit into the garbage, signifying AI recruitment tools.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/BoxspQRwTLu8HAXk5Pnrd8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK's <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> has issued guidance on the use of AI recruitment tools following a wide-ranging review.</p><p>With AI increasingly being used to source potential candidates, <a href="https://www.itpro.com/business-strategy/careers-training/355955/tips-for-writing-a-cover-letter-thatll-help-land-the-job">summarize CVs</a>, and score applicants, the ICO said it's become concerned that their use can cause problems for job applicants in terms of their privacy and information rights. </p><p>Some <a href="https://www.itpro.com/technology/artificial-intelligence/amazing-ai-tools-to-try-today">AI tools</a> were not processing personal information fairly, for example, by allowing recruiters to filter out candidates with certain protected characteristics. </p><p>Others were even inferring characteristics such as gender and ethnicity from a candidate’s name, rather than asking for the information. </p><p>Meanwhile, some AI recruitment tools collected far more personal information than necessary and retained it indefinitely to build large databases of potential candidates without their knowledge.</p><p>The ICO has now made nearly 300 recommendations, such as ensuring personal information is processed fairly and kept to a minimum, and clearly explaining to candidates how their information will be used by the AI tool. </p><p>"<a href="https://www.itpro.com/strategy/28181/what-is-ai">AI</a> can bring real benefits to the hiring process, but it also introduces new risks that may cause harm to jobseekers if it is not used lawfully and fairly. Our intervention has led to positive changes by the providers of these AI tools to ensure they are respecting people’s information rights," said Ian Hulme, ICO director of assurance.</p><p>"Our report signals our expectations for the use of AI in recruitment, and we're calling on other developers and providers to also action our recommendations as a priority. That’s so they can innovate responsibly while building trust in their tools from both recruiters and jobseekers."  </p><p>Some of the most important measures, said the ICO, include completing a <a href="https://www.itpro.com/data-protection/34416/how-to-perform-a-data-protection-impact-assessment-dpia-under-gdpr">Data Protection Impact Assessment (DPIA)</a>, to understand, address and mitigate any potential privacy risks or harms.</p><p>Organizations must also identify an appropriate lawful basis for collecting data, such as consent or legitimate interests. Special category data, such as racial, ethnic origin or health data involves extra conditions.</p><p>Recruiters must identify who is the controller and processor of personal information and set explicit and comprehensive written instructions for providers to follow, and check that the provider has mitigated bias. </p><p>Candidates should be told how an AI tool will process their personal information, and recruiters must ensure that the tool collects only the minimum amount of personal information required to achieve its purpose, and that it won't be used in any other ways.</p><p>The developers concerned have all accepted or partially accepted all the ICO's recommendations.</p><p>“We are actively working to implement the specific actions agreed with the ICO in our audit plan," said one. "For example, we are making sure to provide the relevant information regarding the use of AI in our privacy policies and evaluating the steps taken to minimize bias when training and testing our <a href="https://www.itpro.com/technology/artificial-intelligence/workers-are-using-generative-ai-tools-on-the-sly-and-it-needs-to-stop">AI tools</a>."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ “You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victims ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/you-must-do-better-information-commissioner-john-edwards-calls-on-firms-to-beef-up-support-for-data-breach-victims</link>
                                                                            <description>
                            <![CDATA[ Companies need to treat victims with swift, practical action, according to the ICO ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">n3sbnye4MrrAGt6A2d9i8k</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UzcUMaRy2zzheRGACjK4si-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 30 Oct 2024 09:26:57 +0000</pubDate>                                                                                                                                <updated>Wed, 30 Oct 2024 14:32:05 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UzcUMaRy2zzheRGACjK4si-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.]]></media:description>                                                            <media:text><![CDATA[Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UzcUMaRy2zzheRGACjK4si-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK Information Commissioner’s Office (ICO) is calling on organizations to do more to support victims after a data breach.</p><p>According to ICO figures, nearly 30 million people in the UK have experienced a data breach. In total, 55% of UK adults reported having had their data lost or stolen, with 30% of them experiencing emotional distress as a result. </p><p>However, a quarter said they received no support from the organizations responsible and 32% found out about the breach via the media, rather than from the organization itself.</p><p>Information Commissioner John Edwards said the figures highlight that many organizations “fail to fully appreciate the harm they cause then they mishandle personal data”. </p><p>Edwards urged enterprises to act with “empathy and action” when dealing with data breach victims. </p><p>"Today, I want to issue a stark warning to organizations across the country: you must do better," he said.</p><p>"When a data breach occurs, it’s not just an admin error – it is a failure to protect someone. In many cases if that someone is in a vulnerable situation, they are already facing innumerable personal challenges, or they may be at risk of harm."</p><p>Qualitative research conducted by the ICO, meanwhile, found people have had to move homes, felt forced out of their jobs, and faced discrimination as a result of data breaches. Analysis from the data protection watchdog found the real impact on their life was insufficiently recognized by the organization responsible.</p><h2 id="ico-issues-updated-guidance-for-organizations">ICO issues updated guidance for organizations</h2><p>New <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/communicating-with-empathy-after-a-data-breach/"><u>guidance </u></a>issued by the ICO calls on organizations to assess the risks to the individuals involved, and carry out its reporting and notification duties promptly.</p><p>They should acknowledge what has happened to people affected by a breach, be human and accessible in their response, and commit to making sure it doesn’t happen again.</p><p>Similarly, organizations should share ICO guidance with people affected by a breach, and make sure that staff have access to the ICO toolkit of resources. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED WHITEPAPER</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="yfa59aYW8BdNLSkCxFkR8M" name="How to convince your management that NordPass is a necessary tool in your company.jpg" caption="" alt="How to convince your management that NordPass is a necessary tool in your company" src="https://cdn.mos.cms.futurecdn.net/yfa59aYW8BdNLSkCxFkR8M.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: NordPass)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/how-to-convince-your-management-that-nordpass-is-a-necessary-tool-in-your-company"><em>Keep your company’s sensitive data secure</em></a></p></div></div><p>Another key focus should be implementing changes to corporate culture and ensuring that empathy is at the heart of their response, the ICO said. </p><p>"To many organizations, a data breach might seem like a temporary setback - something that can be patched up with technical fixes and compliance reviews," said Edwards. </p><p>"But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ LinkedIn backtracks on AI training rules after user backlash ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/linkedin-backtracks-on-controversial-ai-training-rules-after-user-backlash</link>
                                                                            <description>
                            <![CDATA[ UK-based LinkedIn users will now get the same protections as those elsewhere in Europe ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">VBzbWMj3AT4kzg5aVVGkYg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/gcf9KQrbYmhPFjTVKoRas5-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 23 Sep 2024 09:13:11 +0000</pubDate>                                                                                                                                <updated>Mon, 23 Sep 2024 09:13:57 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/gcf9KQrbYmhPFjTVKoRas5-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[LinkedIn logo and branding pictured on a smartphone screen held by shadowed handed.]]></media:description>                                                            <media:text><![CDATA[LinkedIn logo and branding pictured on a smartphone screen held by shadowed handed.]]></media:text>
                                <media:title type="plain"><![CDATA[LinkedIn logo and branding pictured on a smartphone screen held by shadowed handed.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/gcf9KQrbYmhPFjTVKoRas5-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>LinkedIn has suspended the use of UK user data for AI training following a fierce backlash from digital rights campaigners, users, and regulators. </p><p>The social network recently changed its privacy policy to use an ‘opt-out’ setting for the use of customer data to train its internal <a href="https://www.itpro.com/strategy/28181/what-is-ai">AI</a> models. </p><p>In an update to its policies, the Microsoft-owned firm said the use of user data would help improve <a href="https://www.itpro.com/technology/artificial-intelligence-ai/369959/what-is-generative-ai">generative AI</a> features. The change prompted a backlash among users on social media, with digital rights campaigners urging users to opt-out of the scheme. </p><p>"Like other features on LinkedIn, when you engage with generative AI powered features we process your interactions with the feature, which may include personal data (e.g., your inputs and resulting outputs, your usage information, your language preference, and any feedback you provide)," LinkedIn said in its FAQs.</p><p>The UK’s <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> expressed concerns over the move, with the regulator noting that the opt-out approach wasn’t sufficient to protect user privacy. </p><p>Similarly, digital rights group Open Rights Group complained the opt-out model “proves once again to be wholly inadequate to protect our rights”. </p><p>“The public cannot be expected to monitor and chase every single online company that decides to use our data to train AI," said legal and policy officer Mariano delli Santi.</p><p>"Opt-in consent isn't only legally mandated, but a common-sense requirement."</p><h2 id="linkedin-u-turn-welcomed-by-privacy-watchdog">LinkedIn U-turn welcomed by privacy watchdog</h2><p>LinkedIn has since backed down, however, and will no longer apply the policy in the UK, along with the EU, the European Economic Area, and Switzerland.</p><p>In a statement, Blake Lawit, SVP and general counsel at LinkedIn, said the company has changed its user agreement to include more details on its content recommendation and content moderation practices, along with new provisions relating to generative AI.</p><p>The privacy policy, meanwhile, now has more information on how user data is harnessed to develop products and services. This includes details on how user data is used to train AI models. </p><p>"We are not enabling training for generative AI on member data from the European Economic Area, Switzerland, and the United Kingdom, and will not provide the setting to members in those regions until further notice,” Lawit added.</p><p>The ICO has welcomed the decision, noting in a statement that LinkedIn has taken on board key concerns raised about its approach to <a href="https://www.itpro.com/technology/artificial-intelligence/generative-ai-training-in-the-crosshairs-as-ico-set-to-examine-legality-of-personal-data-use">AI training</a>. </p><p>"We are pleased that LinkedIn has reflected on the concerns we raised about its approach to training generative AI models with information relating to its UK users,” said Stephen Almond, ICO executive director, regulatory risk.</p><p>"In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset."</p><p>The use of user data for training AIs has become a controversial one. Earlier this year, Meta halted the use of the data of UK Facebook and Instagram data for this after the ICO raised concerns.</p><p>The company has <a href="https://www.itpro.com/security/data-protection/meta-to-go-ahead-with-plans-to-use-uk-data-for-ai-training">since started using UK data once again under an altered consent model</a>, claiming it satisfied the ICO's demands. </p><p>The ICO said it will continue to monitor the situation with Meta - and the same, Almond said, will be true of LinkedIn.</p><p>“We will continue to monitor major developers of generative AI, including Microsoft and LinkedIn, to review the safeguards they have put in place and ensure the information rights of UK users are protected," he said.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ UK's data protection watchdog deepens cooperation with National Crime Agency ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/uk-s-data-protection-watchdog-deepens-cooperation-with-national-crime-agency</link>
                                                                            <description>
                            <![CDATA[ The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">575tSDTARjuuKo7qW4Paib</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Pz3CFWeJxcZh89pBoB28YV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 13 Sep 2024 05:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Pz3CFWeJxcZh89pBoB28YV-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Mockup image with padlocks to symbolise a cyber security vulnerability]]></media:description>                                                            <media:text><![CDATA[Mockup image with padlocks to symbolise a cyber security vulnerability]]></media:text>
                                <media:title type="plain"><![CDATA[Mockup image with padlocks to symbolise a cyber security vulnerability]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Pz3CFWeJxcZh89pBoB28YV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK's <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> and National Crime Agency (NCA) are planning to improve the support they give to organizations experiencing <a href="https://www.itpro.com/security/cyber-attacks">cyber attacks</a>.</p><p>In a Memorandum of Understanding (MoU), the two agencies set out plans to make sure that victims are signposted to relevant bodies, such as the National<a href="https://www.itpro.com/security/what-is-the-national-cyber-security-centre-ncsc-and-what-does-it-do"> Cyber Security Centre (NCSC)</a>, and are empowered to report cyber crime at the earliest opportunity.</p><p>“Unfortunately, we’ve seen cyber crime costing UK firms billions over the past years. That’s why it’s crucial that relevant bodies work together to boost the <a href="https://www.itpro.com/security/kings-speech-cybersecurity-in-the-spotlight-as-government-promises-new-efforts-to-lock-down-insecure-it-supply-chains">UK’s cyber resilience</a>," said Stephen Bonner, ICO deputy commissioner - regulatory supervision.</p><p>"This new memorandum of understanding builds on our existing relationship with the NCA and will help improve <a href="https://www.itpro.com/security/28133/what-is-cyber-security">cybersecurity</a> standards across the board, while respecting each other’s remits."</p><p>The MoU commits the ICO and NCA to encourage organizations to engage with the NCA on cybersecurity matters, including the response to cyber crime, promising that the NCA will never pass on information shared in confidence without having first received the organization's consent. </p><p>The ICO will also share information about cyber incidents with the NCA on an anonymized, systemic, and aggregated basis - and on an organization-specific basis where appropriate - to help protect the public from serious and organized crime.</p><p>Where the ICO and NCA are both engaged in a cyber incident, they'll work together to minimize disruption to the organization’s efforts to contain and mitigate harm.</p><p>Similarly, the two agencies will also work together to promote learning, provide consistent guidance, and improve standards on cyber-related matters while continuing to work closely with the National Cyber Security Centre (NCSC).</p><p>The NCA noted that organizations have a legal responsibility – under both data protection law and the <a href="https://www.itpro.com/policy-legislation/it-regulation/369630/uk-updates-nis-regulations-bringing-stricter-rules-for-msps">Network and Information Systems Regulations</a> – to report incidents that meet a certain threshold. </p><p>There’s a huge amount of assistance on offer, the crime agency added, including tailored technical advice, the creation of secure communication channels, insight into an attacker’s possible motivations, and strategic advice on how to engage with the rest of government, regulators, and the media.</p><p>"The NCA leads a whole-system response to cyber crime, disrupting cyber criminals and putting them before the courts wherever possible," said NCA deputy director Paul Foster, head of the National Cyber Crime Unit. </p><p>"Organizations who are vulnerable to imminent attack or find themselves a victim also need support and guidance, and we work closely with our partners to provide this."</p><p>"We are pleased to be making this commitment with the Information Commissioner’s Office; this agreement signifies our common goal of establishing and maintaining a secure and resilient cyber ecosystem for all."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO slams Electoral Commission over security failures ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/ico-slams-electoral-commission-over-security-failures</link>
                                                                            <description>
                            <![CDATA[ The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Uhe6s6rEiGaKTrDamyRRYJ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/fKLZvXHTz5QeJSdQoyn4tH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 31 Jul 2024 15:19:49 +0000</pubDate>                                                                                                                                <updated>Thu, 01 Aug 2024 11:47:38 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/fKLZvXHTz5QeJSdQoyn4tH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Polling station sanctioned by the Electoral Commission pictured ahead of the 2024 UK general election.]]></media:description>                                                            <media:text><![CDATA[Polling station sanctioned by the Electoral Commission pictured ahead of the 2024 UK general election.]]></media:text>
                                <media:title type="plain"><![CDATA[Polling station sanctioned by the Electoral Commission pictured ahead of the 2024 UK general election.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/fKLZvXHTz5QeJSdQoyn4tH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> has reprimanded the Electoral Commission for basic security failings that exposed personal data belonging to 40 million voters.</p><p>Two years ago, <a href="https://www.itpro.com/security/electoral-commission-hit-by-complex-15-month-cyber-attack">hackers successfully accessed the Electoral Commission’s Microsoft Exchange Server</a> by impersonating a user account and exploiting known software vulnerabilities in the system.</p><p>For more than a year, they had access to the personal information held on the Electoral Register, including names and home addresses - and the servers were accessed on several occasions without the Electoral Commission’s knowledge.</p><p>The attack was <a href="https://www.itpro.com/security/cyber-attacks/security-experts-raise-questions-about-uk-cyber-funding-in-wake-of-electoral-commission-hack">widely attributed to Chinese state-sponsored attackers</a>.</p><p>Following an investigation into the matter, the ICO found the Electoral Commission didn&apos;t have appropriate security measures in place to protect the personal information it was holding.</p><p>In particular, the watchdog said it failed to keep servers up to date with the latest security updates. The security patches for the vulnerabilities exploited in the cyber attack were released in April and May 2021, months before the attack.</p><p>Meanwhile, the Electoral Commission also had inadequate <a href="https://www.itpro.com/security/cyber-security/360865/better-patch-management-and-password-policies-cut-cyber-attacks-by">password policies</a> in place, according to the ICO, with many accounts still using passwords identical or similar to the ones originally allocated by the service desk.</p><p>"If the Electoral Commission had taken basic steps to protect its systems, such as effective security patching and password management, it is highly likely that this data breach would not have happened. By not installing the latest security updates promptly, its systems were left exposed and vulnerable to hackers," said Stephen Bonner, deputy commissioner at the ICO.</p><p>"I know the headline figures of 40 million people affected caused considerable public alarm when news of this breach emerged last year. I want to reassure the public that while an unacceptably high number of people were impacted, we have no reason to believe any personal data was misused and we have found no evidence that any direct harm has been caused by this breach."</p><p>The Electoral Commission has since taken steps to improve its security, including implementing a plan to modernize its infrastructure, as well as password policy controls and multi-factor authentication for all users.</p><p>But BCS fellow Dan Card said the breach shouldn&apos;t come as a surprise.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED WHITEPAPER</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="i8x42NAf3SWy76TxK6gcuK" name="A CISO's Guide to Safely Unleashing the Power of GenAI.jpg" caption="" alt="A CISO's Guide to Safely Unleashing the Power of GenAI" src="https://cdn.mos.cms.futurecdn.net/i8x42NAf3SWy76TxK6gcuK.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Snyk)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence/a-cisos-guide-to-safely-unleashing-the-power-of-genai"><em>Safeguard against AI threats</em></a></p></div></div><p>"This scenario isn&apos;t even an edge case — it reflects the state of a significant number of organizations, including some <a href="https://www.itpro.com/security/cyber-attacks/security-agencies-warn-of-heightened-threat-to-critical-national-infrastructure">critical national infrastructure</a>," he said.</p><p>"Reports indicate that the threat actors exploited ProxyShell, a vulnerability that was extensively discussed and addressed within the <a href="https://www.itpro.com/security/28133/what-is-cyber-security">cybersecurity</a> community. The organization&apos;s failure to act promptly is a glaring oversight, compounding the severity of the other findings."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firms ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/disgruntled-ex-employees-are-using-weaponized-data-subject-access-requests-to-pester-firms</link>
                                                                            <description>
                            <![CDATA[ Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ZndxVSAFNfBDaJ4uPTL3RF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/28gvKk5842eoMNZPr3KgEc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 04 Jun 2024 09:45:42 +0000</pubDate>                                                                                                                                <updated>Tue, 04 Jun 2024 11:50:12 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/28gvKk5842eoMNZPr3KgEc-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Female office worker shouting in a colleague&#039;s ear using a megaphone.]]></media:description>                                                            <media:text><![CDATA[Female office worker shouting in a colleague&#039;s ear using a megaphone.]]></media:text>
                                <media:title type="plain"><![CDATA[Female office worker shouting in a colleague&#039;s ear using a megaphone.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/28gvKk5842eoMNZPr3KgEc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>New data shows the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> received more than 15,000 complaints about mishandled Data Subject Access Requests (DSARs) in 2023 – and many are being made by disgruntled ex-employees.</p><p>Launching new guidelines on how to respond to DSARs, the ICO recently revealed that the number of complaints it received increased by 13.5% in 2023 compared with the previous year, hitting a total of 15,335.</p><p>They amounted to 45% of all complaints received by the ICO.</p><p>The ICO is keen to make sure that organizations understand their obligations and respond appropriately.</p><p>"What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests," said Elanor McCombe, ICO policy group manager.</p><p>"For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realize that there is a strict time frame for responding to requests, and this must be kept to."</p><p>It&apos;s misunderstandings like this that lead to many complaints. However, according to Deborah Margolis, senior associate at GQ|Littler, many DSARs are from disgruntled former employees who use the data as a &apos;fishing expedition&apos; to obtain copies of documents pre-disclosure, or as a strategy to encourage the employer to reach a settlement with them.</p><p>"Responding to DSARs can take up a significant amount of business resources in terms of both cost and management time. Bearing in how much data we create and process about employees on a daily basis, the time spent trawling through documents is overwhelming for many businesses," she said.</p><p>"DSARs were intended to help individuals to determine if their personal data was being mishandled but some individuals have now weaponized DSARs with the intention of causing disruption for employers and forcing them into reaching favorable settlements."</p><p>Earlier this year, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests, while in September 2022 it took action against seven organizations that failed to respond to DSARs.</p><p>However, following Brexit, the government has proposed amendments to UK data protection law that would shift it away from <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR</a>, with a new <a href="https://www.itpro.com/business/policy-and-legislation/data-protection-and-digital-information-dpid-bill-small-businesses">Data Protection and Digital Information Bill</a> expected to pass this year.</p><p>This, the law firm said, is expected to make compliance with DSARs less burdensome for businesses. In particular, it would be easier for organizations to reject or charge a fee for ‘vexatious’ DSARs.</p><p>"This would be a welcome change for employers, many of whom feel that the existing rules allows too many opportunities for abuse," Margolis said.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO reprimands Coventry school over repeated data protection failures ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/ico-reprimands-coventry-school-over-repeated-data-protection-failures</link>
                                                                            <description>
                            <![CDATA[ The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">K2kYJBndbXw59pDpJSUUdb</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/j3qKLuBJWSTwFybkYhYiMH-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 22 Jan 2024 13:20:38 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/j3qKLuBJWSTwFybkYhYiMH-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Warning symbol in yellow pictured on a digital blue background signifying a security alert]]></media:description>                                                            <media:text><![CDATA[Warning symbol in yellow pictured on a digital blue background signifying a security alert]]></media:text>
                                <media:title type="plain"><![CDATA[Warning symbol in yellow pictured on a digital blue background signifying a security alert]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/j3qKLuBJWSTwFybkYhYiMH-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office</a> (ICO) has reprimanded a Coventry school for data breaches after its IT system was hacked several times.</p><p>Finham Park Multi Academy Trust received a slap on the wrist for failing to ensure the confidentiality and integrity of systems and services, or to implement the right technical and organizational measures to ensure appropriate security.</p><p>The data watchdog said an unauthorized third-party used compromised credentials to access and encrypt Finham Park’s system, which resulted in the exposure of data belonging to more than 1,800 people.</p><p>The failure marked a repeat office, the ICO added.</p><p>"Finham Park reported three similar incidents to the Commissioner and each time the Commissioner provided guidance to Finham Park, which set out the importance of implementing appropriate password policies and account management procedures," the ICO said in a statement.</p><div  class="fancy-box"><div class="fancy_box-title">READ MORE</div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/everything-you-need-to-know-about-the-vmware-vcenter-server-vulnerability">Everything you need to know about the VMware vCenter Server vulnerability</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/sneak-and-peek-midnight-blizzard-attack-highlights-worrying-flaws-in-microsoft-security-processes">Sneak-and-peek Midnight Blizzard attack highlights “worrying flaws” in Microsoft security processes</a><a data-analytics-id="inline-link" href="https://www.itpro.com/business/women-in-tech-are-being-forced-out-of-work-by-the-motherhood-penalty">Women in tech are being forced out of work by the ‘motherhood penalty’</a></p></div></div><p>"Finham Park failed to follow this guidance and failed to implement appropriate technical and organizational measures to secure its systems."</p><p>In particular, the school had an inadequate account lockout policy, with reversible password encryption enabled, and didn&apos;t have <a href="https://www.itpro.com/security/cyber-security/369745/what-is-mfa-fatigue">multi-factor authentication</a> (MFA) in place. The academy also failed to make sure employees had sufficient knowledge and understanding around the <a href="https://www.itpro.com/security/361695/over-90-of-it-decision-makers-reuse-passwords">re-use of passwords</a>.</p><p>"The NCSC emphasizes that passwords should not be re-used across accounts," the watchdog said. "Had Finham Park educated its employees on password management more effectively, it is possible that this incident could have been avoided."</p><p>It appears that the school has finally got the message.</p><p>"The Commissioner has also considered and welcomes the remedial steps taken by Finham Park in light of this incident," the ICO added in its statement.</p><p>"In particular, Finham Park restored its systems from backups, implemented MFA across the trust, and signed off a <a href="https://www.itpro.com/strategy/29899/three-reasons-why-digital-transformation-is-essential-for-business-growth">digital transformation</a> project plan, which included credential monitoring."</p><p>The reprimand reinforces the need for educational institutions to have robust IT security policies and procedures in place, given the sensitivity and large amount of data they hold, according to solicitor Laura Rae of Forbes Solicitors.</p><p>"By having clear password policies and lockout procedures, schools should significantly reduce the likelihood of cyber-security incidents occurring, but then also have a clear process for managing and mitigating the effects of these incidents when they occur," she said.</p><p>"Alongside this, staff should be made aware of the importance of password security and regularly updating passwords, as part of regular data protection training."</p><p>While reprimands don&apos;t carry any financial penalty, they work to &apos;name and shame&apos; organizations, bringing reputational damage and possibly forming evidence in claims for compensation for a data breach.</p><p>The ICO issues reprimands in cases where it has found a breach of the UK GDPR, but believes that the breach isn&apos;t serious enough to attract a fine. These are often given to public sector organizations, rather than issuing a fine which would then have to be paid for out of public funds.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Generative AI training in the crosshairs as ICO set to examine legality of personal data use ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/technology/artificial-intelligence/generative-ai-training-in-the-crosshairs-as-ico-set-to-examine-legality-of-personal-data-use</link>
                                                                            <description>
                            <![CDATA[ Generative AI training methods have become a contentious issue in recent months amid data privacy concerns and a slew of lawsuits against major industry players ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Vm5FisvEPeJtS9HAYMGwHH</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VUPqtH7Ca2pC3cqkvYLP86-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 16 Jan 2024 11:15:24 +0000</pubDate>                                                                                                                                <updated>Tue, 16 Jan 2024 17:54:49 +0000</updated>
                                                                                                                                            <category><![CDATA[Artificial Intelligence]]></category>
                                                    <category><![CDATA[Technology]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VUPqtH7Ca2pC3cqkvYLP86-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Generative AI training concept art showing data flows on a black background with blue and red lines]]></media:description>                                                            <media:text><![CDATA[Generative AI training concept art showing data flows on a black background with blue and red lines]]></media:text>
                                <media:title type="plain"><![CDATA[Generative AI training concept art showing data flows on a black background with blue and red lines]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VUPqtH7Ca2pC3cqkvYLP86-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The legality of generative AI training methods is set to be examined by the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> amid concerns over the use of personal data. </p><p>AI training methods have been a key talking point in recent months due to the manner in which large language models (LLMs) are built. LLMs such as <a href="https://www.itpro.com/technology/artificial-intelligence-ai/369965/what-is-chatgpt-and-what-does-it-mean-for-businesses">ChatGPT</a> are typically built using vast amounts of data collected through web scraping.</p><p>However, these practices have raised concerns both about data privacy and the legal repercussions for developers that fall foul of <a href="https://www.itpro.com/technology/artificial-intelligence/more-authors-join-chatgpt-training-data-copyright-lawsuit">copyright laws</a>.</p><p>The ICO said conversations with developers in the AI space have highlighted several areas where organizations seek greater clarity around how data protection laws apply to the development and use of <a href="https://www.itpro.com/technology/artificial-intelligence-ai/369959/what-is-generative-ai">generative AI</a>.</p><p>This includes questions over the appropriate lawful basis for training generative AI models, and how the purpose limitation principle plays out in the context of <a href="https://www.itpro.com/technology/artificial-intelligence-ai/370345/tech-pioneers-call-for-six-month-pause-ai-development-out-of-control">generative AI development</a> and deployment.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="sffQdfqLjSzZR2p5AfSNPG" name="UK_Digital_Map_GettyImages-1330287859.jpg" caption="" alt="Digital map of the UK and Northern Ireland" src="https://cdn.mos.cms.futurecdn.net/sffQdfqLjSzZR2p5AfSNPG.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence/83-of-uk-organizations-have-no-plan-to-use-ai-any-time-soon-but-why">83% of UK organizations have no plan to use AI any time soon, but why?</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-protection/ico-dishes-out-fine-to-hellofresh-for-marketing-spam-campaign">ICO dishes out fine to HelloFresh for marketing spam campaign</a><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/the-uk-is-europes-most-advanced-digital-economy-report-finds">The UK is Europe’s most “advanced digital economy”, report finds</a></p></div></div><p>There are also lingering questions about complying with the accuracy principle, as well as the expectations in terms of complying with data subject rights.</p><p>Over the coming months, the ICO said it plans to release guidance on its position on the matter, outlining how specific requirements of UK <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR</a> and the <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act</a> (2018) could impact generative AI training methods.</p><p>"The impact of generative AI can be transformative for society if it’s developed and deployed responsibly," said Stephen Almond, the ICO&apos;s executive director for regulatory risk.</p><p>"This call for views will help the ICO provide industry with certainty regarding its obligations and safeguard people’s information rights and freedoms."</p><h2 id="generative-ai-training-and-x2018-legitimate-interest-x2019">Generative AI training and ‘legitimate interest’</h2><p>Under the UK GDPR, the purpose of data processing must be legitimate and necessary for that purpose, and the individual’s interests must not override the interest being pursued.</p><p>The ICO said its current thinking is that legitimate interests can be a valid lawful basis for training generative AI models on web scraped data, as long as the model developer can ensure they pass this three-part test.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="gPfxyZShTvMABBYVEtpkZm" name="AI_training_Stock_Image_GettyImages-1447700717 (1).jpg" caption="" alt="AI training concept art showing multi-colored shapes being absorbed by a human brain" src="https://cdn.mos.cms.futurecdn.net/gPfxyZShTvMABBYVEtpkZm.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence/copyright-spats-show-generative-ai-training-has-become-a-major-legal-minefield">Copyright spats show generative AI training has become a major legal minefield</a></p></div></div><p>The developer’s interest could be simply the business interest in developing a model and deploying it for commercial gain, or wider societal interests - as long as the developer can evidence the model’s specific purpose and use.</p><p>As for necessity, the ICO recognizes that, currently, most generative AI training is only possible using data obtained through large-scale scraping.</p><p>With the &apos;balancing&apos; test, the data watchdog noted that things can be complicated depending on whether generative AI models are deployed by the initial developer, by a third-party through an API, or simply provided to third parties.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="qsuf8qcyyuVbt59gMU9tGa" name="The CEO’s guide to generative AI.jpg" caption="" alt="Pink background and large dark text that says The CEO’s guide to generative AI" src="https://cdn.mos.cms.futurecdn.net/qsuf8qcyyuVbt59gMU9tGa.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><em>Stop fighting fires and start rethinking your supply chain<br></em><br><a data-analytics-id="inline-link" href="https://www.itpro.com/technology/artificial-intelligence/the-ceos-guide-to-generative-ai">DOWNLOAD NOW</a></p></div></div><p>The ICO said it will engage with stakeholders from across the technology industry as part of the investigation, including developers and users of generative AI, legal advisors and consultants working in the space, civil society groups, and public bodies with an interest in generative AI.</p><p>The first <a href="https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-consultation-series-on-generative-ai-and-data-protection/">consultation</a> is open until 1 March, with future consultations planned during the first half of this year to examine issues such as the accuracy of generative AI outputs.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO dishes out fine to HelloFresh for marketing spam campaign ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/ico-dishes-out-fine-to-hellofresh-for-marketing-spam-campaign</link>
                                                                            <description>
                            <![CDATA[ HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">w8qRYXi8X5RgKEXm7SMkSm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/4CaKz9WACSEjNjfb6uMk8A-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 15 Jan 2024 12:04:16 +0000</pubDate>                                                                                                                                <updated>Tue, 16 Jan 2024 19:44:23 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/4CaKz9WACSEjNjfb6uMk8A-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[HelloFresh logo displayed on a smartphone with branding and logo on white background]]></media:description>                                                            <media:text><![CDATA[HelloFresh logo displayed on a smartphone with branding and logo on white background]]></media:text>
                                <media:title type="plain"><![CDATA[HelloFresh logo displayed on a smartphone with branding and logo on white background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/4CaKz9WACSEjNjfb6uMk8A-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Recipe kit delivery service HelloFresh has been fined £140,000 by the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner&apos;s Office</a> (ICO) for pestering customers with tens of millions of spam messages.</p><p>According to the <a href="https://www.itpro.com/security/data-protection">data protection</a> regulator, the company sent 79 million spam emails and a million texts in just seven months. The messages were sent on the basis of an opt-in statement which the ICO said didn&apos;t make any reference to the sending of <a href="https://www.itpro.com/development/web-development/368206/what-is-seo-marketing">marketing</a> via text.</p><p>Although there was a reference to marketing via email, this came as part of an age confirmation statement which the regulator said was likely to incentivize customers to agree.</p><p>The message read: "Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old".</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="j3qKLuBJWSTwFybkYhYiMH" name="Security_Alert_Stock_Image_GettyImages-1403439566 (1).jpg" caption="" alt="Warning symbol in yellow pictured on a digital blue background signifying a security alert" src="https://cdn.mos.cms.futurecdn.net/j3qKLuBJWSTwFybkYhYiMH.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/almost-one-third-of-data-breaches-reported-to-ico-came-from-outsiders">Almost one-third of data breaches reported to ICO came from outsiders</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-protection/ico-fines-topped-dollar14-million-in-2023-amid-crackdown-by-regulator-on-data-protection-standards">ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standards</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/ico-threatens-to-name-and-shame-cookie-consent-rogues">ICO threatens to name and shame cookie consent rogues</a></p></div></div><p>Customers also weren&apos;t properly warned that their data would continue to be used for marketing purposes for up to 24 months after they had cancelled their subscriptions.</p><p>"This marked a clear breach of trust of the public by HelloFresh," said Andy Curry, head of investigations at the <a href="https://www.itpro.com/tag/ico">ICO</a>.</p><p>"Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn&apos;t want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued."</p><h2 id="hellofresh-complaints-began-in-2022">HelloFresh complaints began in 2022</h2><p>The ICO investigation began in March 2022 following complaints made to both the ICO and to the 7726 spam message reporting service. In some cases, the company carried on contacting people even after they had asked for this to stop.</p><p>"I had previously bought from this company and ensured that I did not consent to marketing material. I was not happy with their service so cancelled my subscription," one complainant said. </p><p>“Recently (last 1-2 months) I have started regularly receiving unsolicited advertising emails from the company, and now they are sending unsolicited text messages."</p><p>The emails and texts were sent in contravention of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR), the investigation found.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Av3nRFiaqEiGSwrqjVywjK" name="How IBM and Adobe craft personalization at scale_listing.jpg" caption="" alt="Whitepaper from IBM on how to create the ideal customer experience, with image of colleagues in a meeting" src="https://cdn.mos.cms.futurecdn.net/Av3nRFiaqEiGSwrqjVywjK.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><em>Discover how combining the content supply chain, CX orchestration, and intelligent commerce creates the ideal customer experience<br></em><br><a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-strategy/how-ibm-and-adobe-craft-personalization-at-scale">DOWNLOAD NOW</a></p></div></div><p>The opt-out consent statement wasn&apos;t, as it should have been, &apos;specific&apos; and &apos;informed&apos;, as it didn&apos;t mention SMS, was unclear and bundled with other aspects, and didn&apos;t highlight the fact that customers would carry on receiving messages after they cancelled their HelloFresh subscription.</p><p>"In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed," Curry said. "We will always protect the right of customers to choose how their data is used."</p><p>The ICO said it&apos;s issued more than £2.44 million in fines against companies responsible for nuisance calls, texts and emails since April 2023, with another £2.8 million in 2021/22.</p><p>In December, it took action against Daniel George Bentley and his firm Taipan Trading for sending 2.5 million unsolicited direct marketing text messages, issuing an enforcement notice.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standards ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/ico-fines-topped-dollar14-million-in-2023-amid-crackdown-by-regulator-on-data-protection-standards</link>
                                                                            <description>
                            <![CDATA[ ICO fines across 2023 exceeded £14 million, with TikTok among the worst-hit for data protection violations ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">p2BAKXH8FCV2w36JbGUyfm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ENwAjoGBgUPcK89tuSbxGP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 05 Jan 2024 11:43:32 +0000</pubDate>                                                                                                                                <updated>Fri, 05 Jan 2024 14:54:33 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ENwAjoGBgUPcK89tuSbxGP-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A photo of a silhouette of a hand holding a gavel is in the foreground, with a futuristic mesh of blue lines in the background]]></media:description>                                                            <media:text><![CDATA[A photo of a silhouette of a hand holding a gavel is in the foreground, with a futuristic mesh of blue lines in the background]]></media:text>
                                <media:title type="plain"><![CDATA[A photo of a silhouette of a hand holding a gavel is in the foreground, with a futuristic mesh of blue lines in the background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ENwAjoGBgUPcK89tuSbxGP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office</a> (ICO) fined businesses more than £14.3 million for misusing data last year, according to an analysis by cyber security and data protection consultancy CSS Assure.</p><p>ICO fines were imposed on 18 businesses, with the ICO also reprimanding 36 companies, issuing enforcement notices against a further 19, and prosecuting four businesses for failing to meet their obligations on information rights.</p><p>The year&apos;s largest fine, £12.7 million, was imposed on social media platform TikTok for breaching data protection law around the use of children’s personal data, with the ICO estimating that up to 1.4 million under-13s in the UK were able to use the video sharing app in 2020.</p><p>Charlotte Riley, director of information security at CSS Assure, said the ICO fines underline the serious repercussions faced by businesses for failing to adhere to robust data protection standards.</p><p>"The fines imposed by the ICO in 2023 highlight the serious consequences of misusing data," she said. "Mishandling personal information not only violates data protection laws but also erodes trust among consumers."</p><p>"TikTok’s £12.7 million penalty underscores the importance of lawful use of personal data and implementing appropriate safeguards, especially when it involves children," Riley added. "TikTok is a large, well-known brand, and its fine was substantial due to the sheer amount of data involved."</p><h2 id="ico-fines-issued-for-marketing-violations">ICO fines issued for marketing violations</h2><p>There were a combined £310,000 in ICO fines for three marketing firms found to be making a total of 483,051 unsolicited marketing calls to businesses and sending 107 million spam emails to jobseekers, analysis from CSS Assure revealed. </p><p>Similarly, two energy firms were fined a combined £250,000 for making marketing calls to people on the UK’s ‘do not call’ register.</p><p>A business support consultancy was also fined £30,000 for sending 558,354 direct marketing SMS messages without valid consent while an appliance service and repair company was fined £200,000 for making more than 1.7 million unsolicited direct marketing calls.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="jsDf3jLZpHDSCdinKXkGKb" name="security_padlock_GettyImages-1472032995 (1).jpg" caption="" alt="A digital padlock pictured on a circuit board" src="https://cdn.mos.cms.futurecdn.net/jsDf3jLZpHDSCdinKXkGKb.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/almost-one-third-of-data-breaches-reported-to-ico-came-from-outsiders">Almost one-third of data breaches reported to ICO came from outsiders</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/surge-in-workplace-monitoring-prompts-new-ico-guidelines-on-employee-privacy">Surge in workplace monitoring prompts new ICO guidelines on employee privacy</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/ico-threatens-to-name-and-shame-cookie-consent-rogues">ICO threatens to name and shame cookie consent rogues</a></p></div></div><p>During the second half of the year, 10 companies were collectively fined more than £800,000 for sending a total of 4,698,841 unwanted text messages, 39,906,342 emails, and making 1,937,028 nuisance phone calls.</p><p>Riley said the sharpened focus on cracking down on nuisance calls and spam marketing tactics serves a clear message to organizations across the country for the year ahead.</p><p>"The fines imposed on businesses for unsolicited calls and text messages, and spam emails, as well as firms for disregarding the &apos;do not call&apos; register, demonstrate the significant impact of invasive marketing practices," she said.</p><p>"These penalties send a clear message that companies must respect individuals’ privacy preferences and refrain from bombarding them with unwanted communications."</p><h2 id="the-ico-had-a-x201c-busy-year-x201d-in-2023">The ICO had a “busy year” in 2023</h2><p>The ICO described 2023 as &apos;a busy year&apos;, noting that it handled 116,000 business service calls and 70,000 public advice calls. </p><p>The watchdog also received more than 33,000 <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures">data protection complaints</a> and over 7,000 FOI complaints, with 288 investigations opened and 346 closed.</p><p>Its priorities for this year, it said, are to support the new <a href="https://www.itpro.com/business/policy-and-legislation/data-protection-and-digital-information-dpid-bill-small-businesses">Data Protection and Digital Information (DPDI) bill</a> as it makes its way through Parliament, and to set out clear expectations that privacy and <a href="https://www.itpro.com/technology/artificial-intelligence">artificial intelligence</a> (AI) go hand in hand.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="FzDEWPg3WQaL7frXgSRaPo" name="A journey to cyber resilience_listing.jpg" caption="" alt="An eBook from SecurityScorecard on how to measure your business' cyber resilience" src="https://cdn.mos.cms.futurecdn.net/FzDEWPg3WQaL7frXgSRaPo.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: SecurityScorecard)</span></figcaption></figure><p class="fancy-box__body-text"><em>Enhance your organizations cyber resilience with proactive threat intelligence</em><br><br><a data-analytics-id="inline-link" href="https://www.itpro.com/security/a-journey-to-cyber-resilience">DOWNLOAD NOW</a></p></div></div><p>Speaking at TechUK’s Digital Ethics Summit last month, information commissioner John Edwards said the regulator will be taking a measured approach to <a href="https://www.itpro.com/strategy/28181/what-is-ai">AI</a> in 2024, but warned businesses that data privacy standards must be a key consideration.</p><p>"I want to make it clear from the very start that we are not against organizations using AI," he said.</p><p>"We just want to ensure that they are using AI in sensible, privacy-respectful ways, ensuring that people’s personal information and privacy rights remain protected throughout."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Using Excel for data analysis vs management ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/using-excel-for-data-analysis-vs-management</link>
                                                                            <description>
                            <![CDATA[ With many public sector organizations using Excel for data analysis and management, what are the risks and benefits of each approach? ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">SwVoDZfUUvpKnfwmnnb9MX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/CYwBvmmqU5ZvgFF5jipEUF-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 07 Dec 2023 12:47:05 +0000</pubDate>                                                                                                                                <updated>Fri, 17 May 2024 15:12:57 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Kate O&#039;Flaherty ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LUULv6n7VJ3BHPnaoLHHdg.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/CYwBvmmqU5ZvgFF5jipEUF-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A 2D graphic depicting a Microsoft Excel spreadsheet. Behind the spreadsheet, a dark green shape with cogs on it can be seen, to represent data analysis. In one corner, a businessman holds an oversized magnifying glass to focus on highlighted cells on the spreadsheet, and in the other corner a block carries math symbols.]]></media:description>                                                            <media:text><![CDATA[A 2D graphic depicting a Microsoft Excel spreadsheet. Behind the spreadsheet, a dark green shape with cogs on it can be seen, to represent data analysis. In one corner, a businessman holds an oversized magnifying glass to focus on highlighted cells on the spreadsheet, and in the other corner a block carries math symbols.]]></media:text>
                                <media:title type="plain"><![CDATA[A 2D graphic depicting a Microsoft Excel spreadsheet. Behind the spreadsheet, a dark green shape with cogs on it can be seen, to represent data analysis. In one corner, a businessman holds an oversized magnifying glass to focus on highlighted cells on the spreadsheet, and in the other corner a block carries math symbols.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/CYwBvmmqU5ZvgFF5jipEUF-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft’s Excel is cost-effective and easy to use, which are major draws for public sector organizations and small businesses. However, Excel has been under the spotlight over the last few months after the data breaches at the Police Service of Northern Ireland (PSNI) saw personal information inadvertently exposed in spreadsheets shared as part of a <a href="https://www.itpro.com/policy-legislation/30218/what-is-a-freedom-of-information-foi-request"><u>Freedom of Information (FOI) request</u></a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="JsN9VN75xknNiXBEL7gN5X" name="GettyImages-1362619910-data-driven-decisions-crop.jpg" caption="" alt="A hand touching a screen upon which a visualization of data is displayed in a red and green box chart. It represents data-driven decision-making, with the person touching the screen deriving value from the graph." src="https://cdn.mos.cms.futurecdn.net/JsN9VN75xknNiXBEL7gN5X.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/business-strategy/how-data-driven-decision-making-can-inform-the-channel" target="_blank">How data-driven decision-making can inform the channel</a></p></div></div><p>The fear of another high-profile incident was so great that in September, UK regulator the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico"><u>Information Commissioner’s Office (ICO)</u></a> issued a <a href="https://www.itpro.com/security/data-protection/ico-warns-against-excel-spreadsheets-to-curb-public-sector-data-breaches"><u>warning against using Excel spreadsheets</u></a> when responding to FOI requests.</p><p>There’s no doubt Excel is a flexible tool for <a href="https://www.itpro.com/strategy/29269/what-is-data-management"><u>data management</u></a> and analysis, but its openness can lead to security concerns and leave it vulnerable to breaches of regulation such as the <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know"><u>General Data Protection Regulation (GDPR)</u></a>.</p><p>Many public sector organizations are currently using Excel to manage and analyze their data. What are the risks and benefits of each approach?</p><h2 id="how-easy-is-it-to-use-excel-for-data-analysis">How easy is it to use Excel for data analysis?</h2><p>Excel is well-known and has been around for a long time so ease of use is one of its biggest benefits, says Katie McCullough, CISO at Panzura. “Virtually everyone knows how to navigate an Excel spreadsheet and that&apos;s a huge plus when you&apos;re trying to implement a system across an organization with varying levels of technical skill.”</p><p>Excel enables a variety of data manipulations and calculations, which is why it&apos;s often leaned on for <a href="https://www.itpro.com/business-intelligence/28220/what-is-data-analytics"><u>data analytics</u></a>, says McCullough. It’s also specifically aimed at business users and the <a href="https://www.itpro.com/operating-systems/microsoft-windows/356801/need-excel-training-try-these-10-cheap-or-free-options"><u>best Excel courses</u></a> can teach employees how to use the software to dramatically improve their efficiency at work. However, she says, Excel’s accessibility can be a “double-edged sword”. </p><p>When using the tool for data management, Excel&apos;s openness can lead to significant security concerns, says McCullough. “When you&apos;re handling sensitive public sector data, the unstructured nature of Excel can make it difficult to maintain control over who has access to the information and how it&apos;s being altered.”</p><p>Auditability can also be a challenge. “If you can&apos;t track the provenance of the data or the changes made to it, you&apos;re going to run into problems when you need to substantiate your findings or decisions, says McCullough. “While Excel is a powerful tool for analysis, its use for managing data – especially sensitive information – requires careful consideration of these inherent risks.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="3eEDrX7h6oGDSPSq46Qh9S" name="Building an outstanding digital experience_listing.jpg" caption="" alt="Whitepaper from BT on how to build an outstanding digital experience" src="https://cdn.mos.cms.futurecdn.net/3eEDrX7h6oGDSPSq46Qh9S.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: BT)</span></figcaption></figure><p class="fancy-box__body-text"><em>Discover how banks and financial services organizations can deliver the digital experiences customers expect</em><br><br><br><a data-analytics-id="inline-link" href="https://www.itpro.com/business/digital-transformation/building-an-outstanding-digital-experience">DOWNLOAD NOW</a></p></div></div><p>While sensitive data can be easily stored in Excel spreadsheets, this can be hard to do in compliance with <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures"><u>data protection policies and procedures</u></a>. Indeed, Excel was never designed as a <a href="https://www.itpro.com/data-management/30216/three-keys-to-successful-data-management"><u>data management</u></a> tool: It is “simply too easy” for users to expose sensitive information to unintended audiences, says Nelson Petracek, CTO at business planning company Board International. </p><p>“Data is not managed in a way that is easily controlled or secured, and users can hide information via hidden tabs and columns, embedded data elements, formatting – or even by moving it to an area outside of the normal viewpoint,” Petracek says.</p><p>“This makes it difficult to determine if sensitive data exists in a workbook or Excel application.”</p><p>Security in Excel is typically set at a workbook or worksheet level, which is “simply not a fine enough level of granularity to ensure proper data security and privacy”, adds Petracek. “It is also easy to send files over insecure channels, lose track of versions, or for files to be sent or carried outside of an organization’s firewall.”</p><h2 id="the-risk-of-excel-macros">The risk of Excel macros</h2><p>Another security issue that has already been the subject of a <a href="https://www.ncsc.gov.uk/guidance/macro-security-for-microsoft-office"><u>warning</u></a> by the UK’s National Cyber Security Centre (NCSC) is macros. These are action scripts used to automate tasks in Excel and are often helpful for obtaining insights within the software. But they can also negatively impact security as Blake Jeffrey, general manager, security and identity at Intelliworx, tells <em>ITPro</em>. “Macros are often created for legitimate reasons, but they can also be used by attackers to gain access to or harm a system, or to bypass other security controls.”</p><p>At the same time, building a proper <a href="https://www.itpro.com/policy-legislation/data-governance/369834/building-a-data-governance-strategy">data governance strategy</a> and meeting compliance checks can be a challenge with Excel, says Jeffrey. “Excel lacks the specific features needed to manage complex tasks related to GDPR for example, such as data mapping, consent management, and data subject access request handling.”</p><p>The issue is not unique to UK organizations, as the US is impacted by security and data protection concerns too. “In the US and UK, public sector organizations often deal with sensitive data and Excel may not provide the level of security required,” says Jasmine Harrison, account manager at Data Protection People. </p><p>Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) “emphasize stringent data protection measures”, she points out.</p><iframe width="100%" height="200px" frameborder="0" data-lazy-priority="high" data-lazy-src="https://widget.spreaker.com/player?episode_id=57393245&theme=light&playlist=false&playlist-continuous=false&chapters-image=true&episode_image_position=right&hide-logo=true&hide-likes=true&hide-comments=true&hide-sharing=true&hide-download=true"></iframe><p>Beyond regulation, Microsoft’s <a href="https://support.microsoft.com/en-us/office/using-access-or-excel-to-manage-your-data-09576147-47d1-4c6f-9312-e825227fcaea" target="_blank"><u>own guidance</u></a> recommends using Excel for data analysis and its software Access for data management – but this is frequently ignored. Experts say Access is a more structured and secure database management system. However, Excel&apos;s familiarity and popularity can make it the go-to choice, even when it&apos;s not the best fit for data management, says Harrison. </p><p>Excel is also readily available as part of the Microsoft Office suite that most organizations already have, McCullough points out. This means that despite the best intentions of Microsoft&apos;s guidance, the “convenience and familiarity of Excel” often leads to its use in scenarios better suited for a dedicated database management system such as Access. But this doesn’t make Excel the best option for <a href="https://www.itpro.com/data-insights/databases/357305/how-to-improve-database-costs-performance-and-value"><u>database costs, performance, and value</u></a> in the long run.</p><h2 id="alternatives-to-excel-for-data-management">Alternatives to Excel for data management</h2><p>It’s clear Excel is not fit for purpose when it comes to storing sensitive data, but what’s the alternative? While there are other options available, many of the pitfalls are the same, says McCullough. “It’s important to weigh the options against the risks, especially given the recent ICO guidance. The ICO emphasizes the importance of data integrity and security, which are critical for any organization, regardless of size.”</p><p>For smaller organizations, the key is to find solutions that maintain the simplicity and user-friendliness of Excel while offering enhanced security and data management features, says McCullough. </p><p><a href="https://www.itpro.com/business-operations/productivity/363979/google-sheets-vs-microsoft-excel">Google Sheets is one alternative to Excel</a>. “It&apos;s a familiar spreadsheet environment with the added advantage of automatic <a href="https://www.itpro.com/cloud/cloud-storage/368014/what-is-google-cloud-storage">Google cloud storage</a> and version control, which is not a perfect solution, but can help with data integrity,” McCullough says. It also allows for easier control of user access, which she says “aligns somewhat” with the ICO&apos;s emphasis on data protection.</p><p>While other options are available, the likes of OneTrust might be too expensive for smaller organizations, says Harrison. With this in mind, she recommends alternatives such as DataWise, which “may be more budget-friendly in comparison”.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="VUDZptndWJDCBjYxYfV9u6" name="python-code-GettyImages-1346778393.jpg" caption="" alt="Python code on a screen" src="https://cdn.mos.cms.futurecdn.net/VUDZptndWJDCBjYxYfV9u6.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/software/microsoft/could-python-in-excel-be-a-boon-for-cryptocurrency-miners">Could Python in Excel be a boon for cryptocurrency miners?</a></p></div></div><p>However, it&apos;s not just about picking a different spreadsheet tool: Organizations must understand the need for <a href="https://www.itpro.com/big-data-analytics/34532/structured-vs-unstructured-data-management">structured data management</a> practices, says McCullough. “Even with alternatives such as Google Sheets, the principles of good data management are the same – knowing where your data is, who has access to it, and ensuring it&apos;s backed up and recoverable in the event of an incident.”</p><p>To <a href="https://www.itpro.com/security/data-breaches/358455/10-ways-to-protect-your-company-from-the-next-big-data-breach">protect your company from the next big data breach</a>, it’s important to assess the tools you use for data management. Ease of use or employee familiarity should never come second to proper data controls.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO threatens to name and shame cookie consent rogues ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/privacy/ico-threatens-to-name-and-shame-cookie-consent-rogues</link>
                                                                            <description>
                            <![CDATA[ Websites failing on cookie consent have until January before the ICO takes action ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bX8f8TAFak6EFXmjSc5QJk</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 22 Nov 2023 12:54:27 +0000</pubDate>                                                                                                                                <updated>Wed, 22 Nov 2023 14:50:23 +0000</updated>
                                                                                                                                            <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cookie banner displayed on a website]]></media:description>                                                            <media:text><![CDATA[Cookie banner displayed on a website]]></media:text>
                                <media:title type="plain"><![CDATA[Cookie banner displayed on a website]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office</a> (ICO) has warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies. </p><p>The ICO said that some are failing to give users a clear choice about whether they want to opt-in to personalized advertising, and make it just as easy to &apos;reject all&apos; as to &apos;accept all&apos;.</p><p>While websites can still display adverts when users reject all tracking, they must not tailor these ads to the person browsing.</p><p>Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on <a href="https://www.itpro.com/network-internet/web-browser/369894/the-cookie-law-is-finally-crumbling-good-riddance">cookie consent</a>, adding that the regulator will clamp down on those who don’t comply.</p><p>"We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent,” he said.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Q78FXEQYdWxt9sQ9poVpxb" name="Security_Padlock_GettyImages-1279251103.jpg" caption="" alt="Binary digital security padlock and network data on a huge cyberspace" src="https://cdn.mos.cms.futurecdn.net/Q78FXEQYdWxt9sQ9poVpxb.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/surge-in-workplace-monitoring-prompts-new-ico-guidelines-on-employee-privacy">Surge in workplace monitoring prompts new ICO guidelines on employee privacy</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/almost-one-third-of-data-breaches-reported-to-ico-came-from-outsiders">Almost one-third of data breaches reported to ICO came from outsiders</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-protection/incorrectly-copying-people-into-emails-could-get-you-fined-under-new-ico-guidelines">Incorrectly copying people into emails could get you fined under new ICO guidelines</a></p></div></div><p>"Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation."</p><p>Without naming names, the ICO said it has written to companies running some of the UK’s most-visited websites to voice concerns about their cookie consent policies.</p><p>The regulator has given them 30 days to ensure their websites comply with current legislation on the matter.</p><p>"Many of the biggest websites have got this right," said Almond. "We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences."</p><p>The ICO said it will provide an update on progress in January. For organizations that are still to comply, it will provide the public with details.  </p><h2 id="cookie-consent-crackdown">Cookie consent crackdown</h2><p>The move follows a warning earlier this summer in which the ICO began assessing cookie consent banners. The regulator said at the time it would take action against those who don’t comply.</p><p>While the legal requirement for cookie banners derives from the <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR</a>, the UK&apos;s departure from the EU hasn&apos;t yet led to any change in the rules.</p><p>Companies are required to gain explicit consent from users before using <a href="https://www.itpro.com/marketing-comms/digital-marketing/367745/third-party-cookie-phase-out-adtech-apocalypse">marketing cookies</a> or trackers, and the buttons used for this must make it at least as easy to deny as to consent.</p><p>In the EU, rules are similar, although there&apos;s no clear rule that &apos;reject all&apos; must appear at the same time, and be as easy to choose as &apos;accept all&apos;.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="ZwJYgYeWHbjAH7vhgezPkD" name="Healthcares next chapter revolutionizing how you care with EPR experts you can trust_listing.jpg" caption="" alt="A whitepaper from Telefonica Tech on how to revolutionize care with their EPR experts" src="https://cdn.mos.cms.futurecdn.net/ZwJYgYeWHbjAH7vhgezPkD.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Telefonica Tech)</span></figcaption></figure><p class="fancy-box__body-text"><em>Discover how Telefónica Tech helps NHS Trusts meet the mandate for operational EPR systems <br></em><br><a data-analytics-id="inline-link" href="https://www.itpro.com/business/digital-transformation/healthcares-next-chapter-revolutionizing-how-you-care-with-epr-experts-you-can-trust">DOWNLOAD NOW</a></p></div></div><p>Different countries within the union have slightly different policies. Austria and Spain, for example, require a &apos;reject all&apos; button in the first layer of the consent process while Germany does not.</p><p>Earlier this month, the European Data Protection Board (EDPB) published new guidelines on the use of cookies, clarifying which tracking techniques are covered.</p><p>"These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented," said EDPB chair Anu Talus.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ “Limited resources” scupper ICO probe into EasyJet breach ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/limited-resources-scuppers-ico-probe-into-easyjet-breach</link>
                                                                            <description>
                            <![CDATA[ The decision to drop the probe has been described as “deeply concerning” by security practitioners ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ypUAyZwQqDeWUhdCGveei3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/tVyZU3wyuhnaafMTDzfTWo-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 06 Nov 2023 12:44:31 +0000</pubDate>                                                                                                                                <updated>Mon, 06 Nov 2023 16:56:40 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ ross.kelly@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Ross Kelly is a staff writer at ITPro, ChannelPro, and CloudPro, with a keen interest in cyber security, business leadership and emerging technologies.&lt;/p&gt;
&lt;p&gt;He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;In his spare time, Ross enjoys cycling, walking and is an avid reader of history and non-fiction.&lt;/p&gt;
&lt;p&gt;You can contact Ross at ross.kelly@futurenet.com or on &lt;a href=&quot;https://twitter.com/rosswritesetc&quot;&gt;Twitter&lt;/a&gt; and &lt;a href=&quot;https://www.linkedin.com/in/ross-kelly-18a54411a/&quot;&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/tVyZU3wyuhnaafMTDzfTWo-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[EasyJet aircraft cross each other while one of them taxies for take off at Orly International Airport on September 10, 2023 in Paris, France]]></media:description>                                                            <media:text><![CDATA[EasyJet aircraft cross each other while one of them taxies for take off at Orly International Airport on September 10, 2023 in Paris, France]]></media:text>
                                <media:title type="plain"><![CDATA[EasyJet aircraft cross each other while one of them taxies for take off at Orly International Airport on September 10, 2023 in Paris, France]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/tVyZU3wyuhnaafMTDzfTWo-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office</a> (ICO) in the UK has abandoned its probe into the 2020 data breach at budget airline EasyJet due to “limited resources”. </p><p>According to the watchdog, the continuation of an investigation into the data breach was not in its interests and failed to represent the best use of its resources. </p><p>The EasyJet hack remains one of the largest data breaches in UK history, with data belonging to around nine million customers exposed. </p><p>Information including names, email addresses, travel details, and credit card details was accessed in the breach.</p><p>Customers were warned at the time they could face heightened security threats, such as <a href="https://www.itpro.com/security/29093/what-is-phishing">phishing</a>, as a result of the breach. </p><p>Confirming the decision to drop the investigation, a spokesperson for the watchdog said it still places a strong focus on enforcement of <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures">data protection</a> rules and that “all data breaches reported to us are important”. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="XdwqJwEjtiLyiicLQdAJB9" name="Cyber_Security_Padlock_GettyImages-1420039900.jpg" caption="" alt="Cyber security concept art featuring a digital padlock on a circuit board in background" src="https://cdn.mos.cms.futurecdn.net/XdwqJwEjtiLyiicLQdAJB9.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/breached-for-years-how-long-term-cyber-attacks-are-allowed-to-linger">Breached for years: How long-term cyber attacks are able to linger</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/sec-data-breach-rules-branded-worryingly-vague-by-industry-body">SEC data breach rules branded “worryingly vague” by industry body</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/data-breach-costs-businesses-lose-73-of-their-income-in-the-year-following-an-incident">Data breach costs: Businesses lose 73% of their income in the year following an incident</a></p></div></div><p>“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward,” the spokesperson said. </p><p>“It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide <a href="https://www.itpro.com/business/policy-and-legislation/uk-needs-regulatory-certainty-to-become-global-ai-leader">regulatory certainty</a> to organizations. </p><p>“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”</p><p>The ICO said it’s currently in the process of transforming how it prioritizes and delivers activity to ensure “timely and transparent results”. </p><p>The move is part of a concerted effort at the watchdog to prepare for the forthcoming <a href="https://www.itpro.com/business/policy-and-legislation/data-protection-and-digital-information-dpid-bill-small-businesses">Data Protection and Digital Information Bill</a>, the spokesperson added. </p><h2 id="ico-decision-could-create-wrong-message">ICO decision could create wrong message</h2><p>The decision to drop the probe has been met with criticism from security industry practitioners amid claims that it could send the wrong message to organizations in the future. </p><p>Mike Newman, CEO of My1Login, said the decision is concerning given that British Airways was <a href="https://www.itpro.com/security/data-breaches/357452/british-airways-dodges-ps183-million-data-breach-fine">handed a £20 million fine</a> for a “much smaller data breach”. </p><p>“The industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case,” he said. </p><p>“Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud, and <a href="https://www.itpro.com/security/privacy/368587/identity-theft-what-to-do-if-the-worst-happens">identity theft</a>. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and could send out a very wrong message to other organizations.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="GEWcryGJgz5YVTzSDmYcwm" name="Advancing_you_risk_FP_listing.jpg" caption="" alt="Whitepaper cover: Advancing your risk management maturity, with image of colleagues chatting in an office" src="https://cdn.mos.cms.futurecdn.net/GEWcryGJgz5YVTzSDmYcwm.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: ServiceNow)</span></figcaption></figure><p class="fancy-box__body-text"><em>Get a roadmap to effective governance and increase resilience</em><br><br><a data-analytics-id="inline-link" href="https://www.itpro.com/security/advancing-your-risk-management-maturity">DOWNLOAD NOW</a></p></div></div><p>Barrier Networks CISO, Jordan Schroeder, echoed Newman’s comments on messaging. However, he insisted the ICO still appears firmly committed to enforcement and ensuring robust data protection standards across the UK. </p><p>“This latest update could give off mixed messages and it will undoubtedly receive a lot of scrutiny, but it shouldn’t be seen as an indication that the ICO is ‘easing up’ or that data breaches will be tolerated,” he said. </p><p>“Organizations have a duty to care for the data they hold and process, and they must take the protection of that data very seriously. These protections shouldn’t only be motivated by compliance or the risk of regulatory fines, but mainly because of their duty of care to customers, employees, and partners.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Almost one-third of data breaches reported to ICO came from outsiders ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/almost-one-third-of-data-breaches-reported-to-ico-came-from-outsiders</link>
                                                                            <description>
                            <![CDATA[ The number of organizations reporting or being reported to the ICO has reached a four-year high ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">y6CzvJ9gKUpFy2DTPpatHJ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/hcF5zrWZhdGYsGxPxBsbKV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 20 Oct 2023 09:13:43 +0000</pubDate>                                                                                                                                <updated>Fri, 20 Oct 2023 14:49:54 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ ross.kelly@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Ross Kelly is a staff writer at ITPro, ChannelPro, and CloudPro, with a keen interest in cyber security, business leadership and emerging technologies.&lt;/p&gt;
&lt;p&gt;He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;In his spare time, Ross enjoys cycling, walking and is an avid reader of history and non-fiction.&lt;/p&gt;
&lt;p&gt;You can contact Ross at ross.kelly@futurenet.com or on &lt;a href=&quot;https://twitter.com/rosswritesetc&quot;&gt;Twitter&lt;/a&gt; and &lt;a href=&quot;https://www.linkedin.com/in/ross-kelly-18a54411a/&quot;&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/hcF5zrWZhdGYsGxPxBsbKV-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Concept art showing locked packlocks with one opened coloured in red, signifying a data breach]]></media:description>                                                            <media:text><![CDATA[Concept art showing locked packlocks with one opened coloured in red, signifying a data breach]]></media:text>
                                <media:title type="plain"><![CDATA[Concept art showing locked packlocks with one opened coloured in red, signifying a data breach]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/hcF5zrWZhdGYsGxPxBsbKV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Nearly one-third of security decision makers in the UK claim they have been reported to the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office</a> (ICO) over a data breach by an individual outside their organization. </p><p>Analysis from Manchester-based encryption firm, Apricorn, recorded a steep increase in the number of organizations reported to the ICO so far during 2023, with 32% reported by someone outside their firm. </p><p>The increase marks a significant rise compared to previous years. In 2022, just 4% of breaches were reported to the watchdog by outsiders while in 2021 this stood at 10%. </p><p>This, the firm said, suggests a growing public appetite to hold businesses to account over potential <a href="https://www.itpro.com/security/data-protection">data security</a> risks. </p><p>“This could be a sign of increased awareness as people become more au fait with the signs of a <a href="https://www.itpro.com/uk/security/data-breaches">data breach</a> and the importance of reporting them, but it could also indicate a lack of internal awareness or due process,” the company said. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="VMijHAaX6UXm6jUbbFnym8" name="lock-encryption-security-GettyImages-1485193235.jpg" caption="" alt="Encryption denoted by a series of gold padlocks lined up side-by-side, with the center padlock cracked down the middle, showing a break" src="https://cdn.mos.cms.futurecdn.net/VMijHAaX6UXm6jUbbFnym8.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/policy-and-legislation/sec-passes-rules-compelling-us-public-companies-to-report-data-breaches-within-four-days">SEC passes rules compelling US public companies to report data breaches within four days</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/data-breach-costs-businesses-lose-73-of-their-income-in-the-year-following-an-incident">Data breach costs: Businesses lose 73% of their income in the year following an incident</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/breached-for-years-how-long-term-cyber-attacks-are-allowed-to-linger">Breached for years: How long-term cyber attacks are able to linger</a></p></div></div><p>Jon Fielding, managing director for EMEA at Apricorn said the trend raises additional questions over internal reporting practices in the event of a data breach or potential risks to consumers. </p><p>“Not all breaches are reportable, but likely recordable. The fact these breaches have been reported from outside the organization may indicate that internal teams are not as aware as they should be of transgressions,” he said.</p><p>Research earlier this year found that nearly half of cyber security practitioners have been told to <a href="https://www.itpro.com/security/370411/nearly-half-of-security-practitioners-told-to-keep-data-breaches-under-wraps"><u>keep data breaches “under wraps”</u></a> by senior management.  </p><p>The study from <a href="https://www.itpro.com/security/ransomware/370154/free-mortalkombat-ransomware-decryptor-tool-released-by-bitdefender">Bitdefender</a> revealed that 42% had been told to keep a data breach confidential when they knew it should have been reported</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="vPy5E3w99Co3W5pCdmzAPD" name="Don_t_let_a_cyber__attack_hold_your__business_back_listing.jpg" caption="" alt="Whitepaper from BT on how to embed a cybersecurity culture, with image of a businessman looking out of an office in a high-rise building" src="https://cdn.mos.cms.futurecdn.net/vPy5E3w99Co3W5pCdmzAPD.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: BT)</span></figcaption></figure><p class="fancy-box__body-text"><em>Discover how you can prepare and protect your organization from a cyber attack.<br></em><br><a data-analytics-id="inline-link" href="https://www.itpro.com/security/dont-let-a-cyber-attack-hold-your-business-back">DOWNLOAD NOW</a></p></div></div><p>US-based security practitioners were found to be the most likely to have kept a breach hidden, with 71% failing to inform senior management or customers. UK and European-based respondents were typically more likely to report data breaches and security incidents, however. </p><p>The repercussions for failing to disclose a data breach can be costly for organizations and individuals on both sides of the Atlantic. EU-based firms are required to notify authorities “without undue delays” and within 72 hours upon discovery of a breach. </p><h2 id="internal-reporting-still-prioritized-xa0">Internal reporting still prioritized </h2><p>Apricorn’s report said that despite an increase in external reporting, internal data breach disclosures are still prioritized by security leaders. </p><p>Nearly half (40%) of respondents said breaches or potential breaches were reported to the ICO by someone within their organization. </p><p>The study suggested this highlights a continued awareness on the importance of data breach disclosures and “speedy remediation” when complying with regulations such as <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR</a>. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Surge in workplace monitoring prompts new ICO guidelines on employee privacy ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/privacy/surge-in-workplace-monitoring-prompts-new-ico-guidelines-on-employee-privacy</link>
                                                                            <description>
                            <![CDATA[ Detailed guidance on how to implement workplace monitoring could prevent data protection blunders ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5Kb3rDhmEbGcVFX3MAeu9Y</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/MzC9cx83DFE6FrwkLYmxZX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 04 Oct 2023 08:30:33 +0000</pubDate>                                                                                                                                <updated>Wed, 04 Oct 2023 10:38:47 +0000</updated>
                                                                                                                                            <category><![CDATA[Privacy]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ ross.kelly@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Ross Kelly is a staff writer at ITPro, ChannelPro, and CloudPro, with a keen interest in cyber security, business leadership and emerging technologies.&lt;/p&gt;
&lt;p&gt;He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;In his spare time, Ross enjoys cycling, walking and is an avid reader of history and non-fiction.&lt;/p&gt;
&lt;p&gt;You can contact Ross at ross.kelly@futurenet.com or on &lt;a href=&quot;https://twitter.com/rosswritesetc&quot;&gt;Twitter&lt;/a&gt; and &lt;a href=&quot;https://www.linkedin.com/in/ross-kelly-18a54411a/&quot;&gt;LinkedIn&lt;/a&gt;.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/MzC9cx83DFE6FrwkLYmxZX-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[High angle view of male and female programmers working on computers at desk in office.]]></media:description>                                                            <media:text><![CDATA[High angle view of male and female programmers working on computers at desk in office.]]></media:text>
                                <media:title type="plain"><![CDATA[High angle view of male and female programmers working on computers at desk in office.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/MzC9cx83DFE6FrwkLYmxZX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner&apos;s Office (ICO) has issued fresh guidance urging organizations to “consider workers’ rights” when introducing workplace monitoring tools. </p><p>The advisory follows a report that found 70% of the public would find workplace monitoring practices “intrusive”. Almost one-in-five (19%) of respondents told the ICO they believe they have been monitored by an employer at some stage. </p><p>The watchdog warned that excessive monitoring can “easily intrude into people’s private lives” and undermine privacy. </p><p>“With the rise of <a href="https://www.itpro.com/business/careers-and-training/strategies-for-effective-upward-management-while-working-remotely"><u>remote working</u></a> and developments in the technology available, many employers are looking to carry out checks on workers,” the ICO said in a statement.  </p><p>“The ICO has today published guidance to help employers fully comply with <a href="https://www.itpro.com/uk/security/data-protection"><u>data protection</u></a> law if they wish to monitor their workers.” </p><p>The guidance is aimed at employers spanning both the public and private sector, and provides a “clear direction” on how organizations can implement monitoring techniques in a fair and lawful manner. </p><div  class="fancy-box"><div class="fancy_box-title">READ MORE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="MeaYrVLJwwckrchsLimEcT" name="MeaYrVLJwwckrchsLimEcT.jpg" caption="" alt="Office workers in a workspace with monitors on desks" src="https://cdn.mos.cms.futurecdn.net/MeaYrVLJwwckrchsLimEcT.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Future)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/policy-legislation/363929/majority-of-workers-experienced-surveillance-in-the-past-year">Employee surveillance tech risks “spiraling out of control”, TUC warns</a><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/flexible-working/361937/how-to-avoid-corrupting-your-hybrid-work-strategy">How to avoid corrupting your hybrid work strategy</a><a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/361472/one-in-three-uk-workers-now-surveilled-by-employers-at-home">A third of UK workers are surveilled by employers</a></p></div></div><p>Monitoring can include tracking calls, messages and keystrokes, webcam footage or audio recordings, or using “specialist monitoring software” to track worker activity, the ICO said. </p><p>In addition, the advisory outlines best practice techniques for employers to help “build trust with their workers and respect their rights to privacy”. </p><p>This includes informing staff about monitoring practices in a “way that is easy to understand” and ensuring workers are made fully aware of the “nature, extent, and reasons for monitoring”. </p><p>The guidance also warns that organizations must have a “lawful basis” for processing workers data - such as consent or legal obligation. </p><p>This includes the need for <a href="https://www.itpro.com/data-protection/34416/how-to-perform-a-data-protection-impact-assessment-dpia-under-gdpr">data protection impact assessments</a>, which must be conducted for any monitoring practices that are “likely to result in a high risk” to workers’ rights.</p><h2 id="transparency-in-workplace-monitoring">Transparency in workplace monitoring</h2><p>Emily Keaney, deputy commissioner for regulator policy at the ICO said that while data protection laws permit monitoring, organizations must prioritize <a href="https://www.itpro.com/uk/security/privacy"><u>privacy</u></a> and the potential impact on workers.  </p><p>“As the data protection regulator, we want to remind organizations that business interests must never be prioritized over the privacy of their workers,” she said. </p><p>“Transparency and fairness are key to building trust and it is crucial that organizations get this right from the start to create a positive environment where workers feel comfortable and respected."</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="LbVXVECgLJ3Ripr3r6rYVA" name="How the way we work will change the Office of the Future.jpg" caption="" alt="How the way we work will change the Office of the Future" src="https://cdn.mos.cms.futurecdn.net/LbVXVECgLJ3Ripr3r6rYVA.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Dell)</span></figcaption></figure><p class="fancy-box__body-text"><em>Hybrid work continues to be a prevalent approach. Download this eBook now to learn more about designing workspaces for meaningful work experiences</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/how-the-way-we-work-will-change-the-office-of-the-future"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>Ella Bond, senior employment solicitor at Harper James, commended the publication of the guidance, and echoed Keaney’s comments on transparency.  </p><p>Organizations that fail to communicate with staff could risk harming relationships with their workforce and impact performance and morale.  </p><p>“It is crucial for employers to strike a balance between managing productivity and performance whilst respecting workers&apos; privacy,” said Bond. “Workers have a legitimate expectation of privacy, even in the course of carrying out their duties.” </p><p>“Monitoring should only be undertaken when it is necessary and proportionate, and it should be conducted in a way that respects workers&apos; rights and freedoms. It is essential that employers communicate clearly with their staff about the nature, extent, and reasons for any monitoring activities. </p><p>“Employers should have clear signage, procedures and policy documentation in place in order to help them to achieve this.”</p><p>Workplace monitoring practices <a href="https://www.itpro.com/business/business-strategy/359712/what-has-the-move-to-remote-working-meant-for-employee-monitoring"><u>have increased significantly</u></a> since the onset of the COVID pandemic in 2020 and the subsequent shift to remote and hybrid working practices as employers sought to keep tabs on employee activities.  </p><p>A 2021 survey conducted by Prospect recorded a <a href="https://www.itpro.com/security/privacy/361472/one-in-three-uk-workers-now-surveilled-by-employers-at-home"><u>sharp rise in cases of webcam and video-based monitoring</u></a> practices among employers.  </p><p>At the time, a majority (52%) of employees polled by the firm said they believe monitoring practices should be banned outright, while 28% said more robust regulation of the trend was required.  </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO warns against Excel spreadsheets to curb public sector data breaches ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/ico-warns-against-excel-spreadsheets-to-curb-public-sector-data-breaches</link>
                                                                            <description>
                            <![CDATA[ The ICO's advisory follows a spate of data protection blunders at UK police forces in recent months ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">mdquGKJSAnfkbU4khST5WF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HWqWDvcx4A4DFQfRyBhCan-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 Sep 2023 11:23:32 +0000</pubDate>                                                                                                                                <updated>Thu, 28 Sep 2023 13:45:31 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HWqWDvcx4A4DFQfRyBhCan-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[ICO advises against spreadsheets story, illustrated by a Microsoft Excel spreadsheet window mockup in a cartoon style, set against a pale blue background]]></media:description>                                                            <media:text><![CDATA[ICO advises against spreadsheets story, illustrated by a Microsoft Excel spreadsheet window mockup in a cartoon style, set against a pale blue background]]></media:text>
                                <media:title type="plain"><![CDATA[ICO advises against spreadsheets story, illustrated by a Microsoft Excel spreadsheet window mockup in a cartoon style, set against a pale blue background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HWqWDvcx4A4DFQfRyBhCan-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s Information Commissioner’s Office (ICO) has issued an advisory to public bodies urging them to “stop using spreadsheets” when responding to requests made under the Freedom of Information Act 2000 (FoI). </p><p>The advisory notice called for an “immediate end” to the use of Excel spreadsheets when responding to public requests for information, and outlined a series of recommendations for public authorities to follow. </p><p>The ICO listed a number of core recommendations for responses. Public bodies have been advised against replying to FoI requests with spreadsheets containing “hundreds or thousands of rows”.</p><p>A recommendation to improve investment in <a href="https://www.itpro.com/strategy/29269/what-is-data-management"><u>data management</u></a> systems that “support data integrity” was included in the guidance.</p><p>In addition, police services were advised to “convert spreadsheets and sensitive metadata into open reusable formats, such as comma-separated value (CSV) files”.</p><p>The advisory also called for better staff training for those involved in disclosing information to prevent the exposure of sensitive data. </p><p>UK information commissioner John Edwards said it’s “imperative” that robust measures are maintained by public authorities when dealing with personal information. </p><p>“The advice we have issued sets out the bare minimum that public authorities should be doing to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”</p><p>While the ICO did not explicitly cite recent incidents, the advisory notice follows a series of FoI-related data protection blunders at UK police services across the country. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="m4RrtVqjwT66yyg8FYA9RP" name="Capture_a_strategic_approach_to_security (1).jpg" caption="" alt="A webinar screen with title and host name on the topic of a strategic approach to security" src="https://cdn.mos.cms.futurecdn.net/m4RrtVqjwT66yyg8FYA9RP.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Cloudflare)</span></figcaption></figure><p class="fancy-box__body-text"><em>Learn how to address inflation, political tensions, and supply chain challenges that influence your IT security in this webinar from Cloudflare </em></p><p class="fancy-box__body-text"><br><a data-analytics-id="inline-link" href="https://www.itpro.com/security/a-strategic-approach-to-security-intelligent-collaborative-and-efficient">DOWNLOAD FOR FREE</a></p></div></div><p>Personal information belonging to thousands of police officers and staff in Northern Ireland was exposed in August after a document was mistakenly uploaded in response to a <a href="https://www.itpro.com/policy-legislation/30218/what-is-a-freedom-of-information-foi-request"><u>freedom of information request</u></a>.  </p><p>The data breach exposed the names of around 10,000 actively serving officers and civilian staff. </p><p>Within the space of a week, this incident was followed by breaches at two other forces elsewhere in the UK. </p><p>Norfolk and Suffolk police revealed a “technical issue” that resulted in <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know"><u>personally identifiable information</u></a> being exposed during a routine freedom of information response. </p><p>Details of hundreds of crime victims, suspects, and witnesses were exposed in the incidents. Much of the information leaked pertained to domestic abuse, assault, theft, and sexual offense cases.</p><p>Both police services have since apologized for the <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures"><u>data protection</u></a> blunders.  </p><p>“The recent personal data breaches are a reminder that data protection is, first and foremost, about people,” Edwards said. </p><p>“We have seen both the immediate and ongoing impact that the release of such sensitive personal information has had on the individuals and families involved, and that is why I have taken this action.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Incorrectly copying people into emails could get you fined under new ICO guidelines ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/incorrectly-copying-people-into-emails-could-get-you-fined-under-new-ico-guidelines</link>
                                                                            <description>
                            <![CDATA[ New guidance from the UK’s data regulator will help prevent unnecessary exposure of personal information in bulk email chains ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">SUx8s7G6odSnSVvT3Zq9q7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/nBjdvCuKQbc8qQzRGWiVge-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 04 Sep 2023 14:11:55 +0000</pubDate>                                                                                                                                <updated>Tue, 05 Sep 2023 10:09:01 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (Ross Kelly) ]]></author>                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/nBjdvCuKQbc8qQzRGWiVge-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Email symbols imposed on a digital themed background]]></media:description>                                                            <media:text><![CDATA[Email symbols imposed on a digital themed background]]></media:text>
                                <media:title type="plain"><![CDATA[Email symbols imposed on a digital themed background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/nBjdvCuKQbc8qQzRGWiVge-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Organizations across the UK could face fines for inadvertently copying people into email chains under new guidelines published by the country’s data regulator.</p><p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> has advised businesses to “use alternatives” to the blind carbon copy (BCC) function when sending bulk emails that contain potentially sensitive information.</p><p>The warning from the regulator coincides with the publication of new guidance detailing how organizations can improve <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/30326/what-is-a-data-protection-officer">data protection practices</a> relating to email communications.</p><p>Best practice advice from the ICO suggests that organizations using “large amounts of data” should consider using alternative means to the BCC function to prevent exposure of personal information.</p><p>The guidance also recommends improving training regimes for staff to cultivate a stronger understanding of <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">data protection regulations</a> and their application in email communications.</p><p>Mihaela Jembei, ICO director of regulatory cyber, said the new guidelines will provide organizations with a clear-cut framework for best practices, and warned that those found to be operating negligently could be reprimanded.</p><p>“This new guidance is part of our commitment to help organizations get <a href="https://www.itpro.com/security/29591/why-email-security-is-your-next-big-opportunity">email security</a> right,” she said.</p><p>“However, where we see negligent behavior that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”</p><h2 id="responding-to-recent-data-breaches">Responding to recent data breaches</h2><p>The new guidance comes in direct response to a slew of data breaches related to email communications, which the regulator described as a “catalog of business blunders”.</p><p>An investigation into the issue from the ICO found that incorrect use of the BCC function is frequently in the top 10 of non-cyber-related breaches, with nearly 1,000 incidents reported since 2019.</p><p>“Failure to use BCC correctly in emails is one of the top <a href="https://www.itpro.com/613798/what-to-do-in-case-of-a-data-breach">data breaches</a> reported to us every year,” Jembei said. “These breaches can cause real harm, especially where sensitive personal information is involved.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="x74BP5WtpUtR2wpK25zTDe" name="Definitive Guide to ransomware 2023.jpg" caption="" alt="IBM whitepaper Definitive guide to ransomware 2023" src="https://cdn.mos.cms.futurecdn.net/x74BP5WtpUtR2wpK25zTDe.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><strong>Definitive guide to ransomware 2023</strong></p><p class="fancy-box__body-text"><em>This document provides guidance on what organizations should do before, during, and after a ransomware attack. </em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/definitive-guide-to-ransomware-2023">DOWNLOAD FOR FREE</a></p></div></div><p>“While BCC can be a useful function, it&apos;s not enough on its own to properly protect people&apos;s personal information. We’re asking organizations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers."</p><p>Failures were found to be a recurring theme across a range of industries, with organizations in the education sector, healthcare, local government, and retail among the most frequently reported for email-related issues.</p><p>The regulator has taken a tougher stance on email-linked data breaches in recent years. In 2022 the Tavistock and Portman NHS Trust was fined £78,400 for exposing the email addresses of over 1,700 gender identity patients.</p><p>More recently, it reprimanded two <a href="https://www.itpro.com/security/cyber-security/368394/northern-ireland-is-the-future-of-british-cyber-security">Northern Ireland</a>-based organizations for wrongly disclosing people’s information in an email chain. The ICO also issued a reprimand to NHS Highland in March after data belonging to people accessing HIV services was exposed.</p><p>The regulator described the incident as a “serious breach of trust” that put users of the service at risk.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO threatens enforcement action against websites with 'harmful' cookie banners ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-protection/ico-threatens-enforcement-action-against-websites-with-harmful-cookie-banners</link>
                                                                            <description>
                            <![CDATA[ The joint effort with the CMA will see a greater focus placed on tackling privacy-unfriendly default settings and bundled consent options ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">FxiaiXShbcPVKd8MjDNEFZ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 10 Aug 2023 10:21:35 +0000</pubDate>                                                                                                                                <updated>Thu, 10 Aug 2023 11:48:38 +0000</updated>
                                                                                                                                            <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ richard.speed@futurenet.com (Richard Speed) ]]></author>                    <dc:creator><![CDATA[ Richard Speed ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/9i9jXkpYyoBCECh2PbJBGP.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[ICO: Cookie banner displayed on a website]]></media:description>                                                            <media:text><![CDATA[ICO: Cookie banner displayed on a website]]></media:text>
                                <media:title type="plain"><![CDATA[ICO: Cookie banner displayed on a website]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/LJKsE3hDnDuuSnPSAEWNvi-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s Information Commissioner’s Office (ICO) has called for an end to website design practices that it claims could harm users.</p><p>The regulator has singled out cookie consent banners as an example of where it will take action if it believes that consumers are being affected by harmful design. It went on to state that it would take enforcement action where it felt design choices would leak to risk or harm.</p><p>It said: “The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico"><u>ICO</u></a> will be assessing <a href="https://www.itpro.com/security/361576/what-are-cookies"><u>cookie</u></a> banners of the most frequently used websites in the UK and taking action where harmful design is affecting consumers”.</p><p>Cookie consent banners made an appearance in response to <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know"><u>GDPR</u></a> requirements. Their purpose is to give users a choice regarding the usage of cookies on a website.</p><p>A joint paper, set out in conjunction with the <a href="https://www.itpro.com/cloud/370382/microsoft-aws-face-cma-probe-amid-competition-concerns"><u>Competition Markets Authority (CMA)</u></a>, has documented how design practices can affect choice and control over personal information.</p><p>The design practices worrying the authorities include default settings - where a user must take active steps to change a predefined choice - and bundled consent - where a user is asked for consent for multiple purposes via a single option.</p><p>Defaults are among the strongest practices influencing user behavior, according to the ICO and CMA. This is due to the fact that they require less effort from the user compared to making an active choice and implies a recommendation by the company or an indication that most users would choose them.</p><p>The ICOs’ concerns relate to Article 25 of the UK GDPR, which requires a ‘data protection by design’ approach to the processing of personal data. Although a ‘default off’ approach is not mandated, not requiring the user to actively consent to more intrusive behavior will likely attract attention.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="UCiQSZePu3djrirpg2zB4k" name="The 5 pillars of personalization at scale-pdf (2).jpg" caption="" alt="The 5 pillars of personalization at scale is a whitepaper from IBM which covers coordinating all aspects of your operations to curate customer interaction" src="https://cdn.mos.cms.futurecdn.net/UCiQSZePu3djrirpg2zB4k.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: IBM)</span></figcaption></figure><p class="fancy-box__body-text"><strong>The five pillars of personalization at scale</strong></p><p class="fancy-box__body-text"><em>Personalization can lead to higher revenue. Start delivering experiences that will delight and entice your customers.</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/marketing-and-comms/the-five-pillars-of-personalization-at-scale">DOWNLOAD FOR FREE</a><strong><br></strong></p></div></div><p>Similarly, the CMA worries that the use of defaults could lead to users making choices not in their best interests, for example, inadvertently enrolling into auto-renewing subscription plans.</p><p>Other practices causing concern include “harmful nudges,” where it is made easy for a user to make a poor choice, alongside “sludge,” where sites make it difficult for a user to select the option they wish. </p><p>The ICO warned that the practice infringed fairness and transparency regulations, although accepted that “nudges” could also be beneficial to users in steering them through to good decisions, with friction or “sludge” also being useful if implemented to ensure a user understands the consequences of their action - for example, validating a bank transfer.</p><p>Finally, ‘confirmshaming’ and ‘biased framing’ were also singled out for criticism.</p><p>Confirmshaming is where &apos;good&apos; and &apos;bad&apos; choices are presented, and the user is therefore made to feel guilty or embarrassed for not choosing the company’s preferred option. Biased framing is where choices are presented in a manner that emphasizes the supposedly positive outcome of a given selection.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Electoral Commission hit by ‘complex’ 15-month cyber attack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/electoral-commission-hit-by-complex-15-month-cyber-attack</link>
                                                                            <description>
                            <![CDATA[ Cyber criminals, who first breached the organization’s systems in August 2021, were identified in October last year ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">Gi5dLkPnfAZJDYYdgfM47U</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bMrMpeGHAcJtiRYA53sF3o-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 08 Aug 2023 15:33:56 +0000</pubDate>                                                                                                                                <updated>Wed, 16 Aug 2023 15:17:27 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ richard.speed@futurenet.com (Richard Speed) ]]></author>                    <dc:creator><![CDATA[ Richard Speed ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/9i9jXkpYyoBCECh2PbJBGP.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bMrMpeGHAcJtiRYA53sF3o-1280-80.jpg">
                                                            <media:credit><![CDATA[n/a]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Parliament]]></media:description>                                                            <media:text><![CDATA[Parliament]]></media:text>
                                <media:title type="plain"><![CDATA[Parliament]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bMrMpeGHAcJtiRYA53sF3o-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s Electoral Commission has warned that hostile actors have accessed voter data, including names and addresses, belonging to anyone registered to vote in elections between 2014 and 2022.</p><p><br></p><p>The attackers gained access to full names, addresses, and the date on which a person achieves voting age – which is 18 for UK parliamentary elections.</p><p><br></p><p>The attackers also had access to the commission’s email and control system as well as the names of those registered as overseas voters, but not their addresses, since the organization doesn’t hold this data. Personal data contained in the email system was also affected and includes name, email, address, telephone numbers, and any personal images along with webform data.</p><p><br></p><p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> risk assessment doesn’t suggest that exposing such personal by itself puts individuals at high risk, given much of this information is already in the public domain. But combined with other pieces of information, it could be used to identify or profile individuals.</p><p><br></p><p>Webform data or email attachments, meanwhile, could potentially contain sensitive information such as medical or personal financial details.</p><p><br></p><p>No group has claimed responsibility for the attack at the time of writing. The Electoral Commission has reported the incident to the <a href="https://www.itpro.com/security/national-cyber-security-centre-ncsc/362048/ncsc-cyber-essentials-overhaul-takes-effect">National Cyber Security Centre</a>, and said it notified the ICO within 72 hours of identifying the breach.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="iDLoZ6aPYgSNDWRMEfn7X9" name="Threat_Intelligence_listing.jpg" caption="" alt="Dark whitepaper cover with faint data connection lines rising from the bottom" src="https://cdn.mos.cms.futurecdn.net/iDLoZ6aPYgSNDWRMEfn7X9.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Mimecast)</span></figcaption></figure><p class="fancy-box__body-text"><em>Read how real-time threat data can give you an advantage</em>.</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/threat-intelligence-critical-in-the-fight-against-cyber-attacks-but-tough-to-master"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>The fact that systems were first accessed in August 2021, more than a year before suspicious activity was identified, suggests the cyber criminals were patient and possibly surveilling internal operations.</p><p><br></p><p>The commission has been quick to reassure voters that the data can’t be used to interfere with the UK’s electoral process, and insisted the exposed data isn’t enough to impersonate a voter under current rules. But the stolen data could help fuel future attacks and other forms of fraud, according to Matt Aldridge, principal solutions consultant at OpenText Cybersecurity.</p><p><br></p><p>“If a nation-state actor was at work here, this data could be used to boost any influence campaigns they are running against UK targets in an effort to support that nation’s competitive agenda,” he said.</p><p><br></p><p>The potential theft of name and home addresses could be used to contribute to targeted social engineering attacks, for example. Aldridge urged organizations to learn from this breach, check their defenses, and ensure staff are trained in cyber security best practices.</p><p><br></p><p>“Rather than viewing data protection as a box-ticking exercise,” he continued, “it should be a key priority and integrated into every aspect of an organization.”</p><p><br></p><p>The commission hasn’t disclosed how it became aware of the attack, but said it’s been implementing a number of mitigations: “We have strengthened our network login requirements, improved the monitoring and alert system for active threats and reviewed and updated our firewall policies.”</p><p><br></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ GDPR fines just 6% of the total cost of data breaches ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/gdpr-fines-just-6-of-the-total-cost-of-data-breaches</link>
                                                                            <description>
                            <![CDATA[ Costs are surging as tickbox compliance distracts organizations from proper security ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">TtC5ZycGxPejJUswNyKpb9</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/qKCkPsC9o3LPrJHDP6Jkr7-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 08 Aug 2023 11:44:36 +0000</pubDate>                                                                                                                                <updated>Wed, 16 Aug 2023 11:06:52 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ richard.speed@futurenet.com (Richard Speed) ]]></author>                    <dc:creator><![CDATA[ Richard Speed ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/9i9jXkpYyoBCECh2PbJBGP.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/qKCkPsC9o3LPrJHDP6Jkr7-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A red warning sign on a backgroud of code, denoting malware and cyber attacks]]></media:description>                                                            <media:text><![CDATA[A red warning sign on a backgroud of code, denoting malware and cyber attacks]]></media:text>
                                <media:title type="plain"><![CDATA[A red warning sign on a backgroud of code, denoting malware and cyber attacks]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/qKCkPsC9o3LPrJHDP6Jkr7-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Over a third (37%) of breaches were caused by human error, and 40% of breaches took more than 72 hours to report, research has found.</p><p>An analysis of nearly 100,000 data breaches (99,460) reported to the UK <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico"><u>Information Commissioner’s Office (ICO)</u></a> from April 2019 to December 2022 has found a lengthy gap between the breach and the report, despite the ICO taking a more robust line.</p><p>The length of the gap demonstrates the challenges faced in identifying a threat. For 18% of breaches, more than a week passed until the ICO was notified. </p><p>The costs of <a href="https://www.itpro.com/security/data-breaches/data-breach-costs-businesses-lose-73-of-their-income-in-the-year-following-an-incident"><u>breaches</u></a> can be high, dwarfing fines, with research finding the 33 most notable breaches cost organizations more than £13.5 billion, of which only 6% were made up by global regulatory fines.</p><p>In this instance, ‘notable’ refers to actual data breaches rather than organizations maliciously abusing data themselves or were reported by <a href="https://www.itpro.com/hacking/30282/what-is-ethical-hacking-white-hat-hackers-explained"><u>white-hat hackers</u></a> with no damage occurring.</p><p>The most common causes of the breaches in the research weren’t cyber attacks. Only a third (33%) of breaches reported were due to malware or phishing, with all breaches caused by threats from outside an organization accounting for 35% of reports. Insider threats, however, came to 40%. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="s4zyVqVoidbXQRwdhFsaEM" name="ITIC 2022 Global Server Hardware, Server OS Security Report Image.jpg" caption="" alt="ITIC 2022 Global Server Hardware, Server OS Security Report" src="https://cdn.mos.cms.futurecdn.net/s4zyVqVoidbXQRwdhFsaEM.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p class="fancy-box__body-text"><strong>ITIC 2022 Global Server Hardware, Server OS Security Report</strong></p><p class="fancy-box__body-text"><em>Learn more about how you can combat ever-growing security threats.</em></p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/infrastructure/servers-and-storage/itic-2022-global-server-hardware-server-os-security-report"><strong>DOWNLOAD FOR FREE</strong></a></p></div></div><p>Human error accounted for more – 23% were caused by data being shared with the wrong person, while 11% was due to lost or stolen data. This includes, for example, stolen devices or paperwork being left in an unsecured location.</p><p>Terry Ray, SVP, data security GTM and field CTO of Imperva, noted the ICO’s tougher stance but worries organizations are prioritizing measures that demonstrated compliance on paper, over genuine data security. </p><p>“In many cases, initiatives that meet the letter of compliance will not in fact prevent organizations from suffering the financial impact of a data breach, such as from customer churn and reputational damage, which can dwarf any potential fines,” he said.</p><p>Data breaches are rising by more than a third (34%) annually, according to Ray, and he expressed concern that – due to a lack of clear metrics – businesses were unsure their data security investments are paying off.</p><p>The ICO has averaged £14.7 million per year in fines issued since it began issuing fines under GDPR rules, compared to £1.5 million levied in the 12 months before <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know"><u>GDPR</u></a> rules came into effect. This increase doesn’t compare favorably with the average cost of the 33 most notable breaches, which was approximately £410 million. “At present,” said Ray, “it would take the ICO 28 years to fine organizations the equivalent of just one of the ‘most notable’ data breaches.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/369580/ico-public-sector-not-getting-easier-ride-gdpr-penalties</link>
                                                                            <description>
                            <![CDATA[ The UK’s information commissioner outlines his new approach to regulation and why the most constructive punishments will always be favoured ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">r3hbWmrfnQ6d4PFhzHpSUu</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 23 Nov 2022 11:05:58 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:description>                                                            <media:text><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:text>
                                <media:title type="plain"><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) has announced that it will be changing its approach to punishing data protection offences committed within the UK’s public sector.</p><p>Information Commissioner John Edwards said that the organisation’s regulatory approach will focus more on fixing the underlying issues and that issuing monetary penalties is ultimately counter-intuitive in many cases.</p><p>Citing an incident where he was recommended to fine an NHS Trust, Edwards told delegates at the National Association of Data Protection Officers (NADPO) annual conference on Tuesday that fining the Trust would have just harmed the quality of service given to patients, punishing them. </p><p>“That fine would have come directly from the money available to that service to deliver services to the victims of the UK GDPR non-compliance,” he said. “We would further punish the very victims whose rights we are there to uphold.”</p><p>The same ‘gentler’ approach will be applied across all areas of the public sector, not just the emergency or other critical services.</p><p>Issuing fines to organisations in central government is often also ineffective, Edwards said, and previous cases have shown little evidence to support the idea that fines lead to better outcomes or overall compliance. </p><p>The Cabinet Office was <a href="https://www.itpro.com/security/data-breaches/361732/ico-fines-cabinet-office-ps500000-for-new-year-honours-data-leak" data-original-url="https://www.itpro.com/security/data-breaches/361732/ico-fines-cabinet-office-ps500000-for-new-year-honours-data-leak">fined £500,000 by the ICO in 2021</a> for the 2019 New Year’s Honours breach in which more than 1,000 individuals’ had their home addresses leaked.</p><p>It was decided the most effective course of punishment was to reduce this fine to £50,000 after an appeal, given the economic challenges the <a href="https://www.itpro.com/business-strategy/public-sector/361729/the-it-pro-podcast-whats-so-hard-about-public-sector-it" data-original-url="https://www.itpro.com/business-strategy/public-sector/361729/the-it-pro-podcast-whats-so-hard-about-public-sector-it">public sector</a> currently faces.</p><p>The Department for Education (DfE) most recently escaped a monetary penalty for its incident in November which saw school pupils’ learning records used by gambling companies to conduct age-verification checks.</p><p>Edwards said this would usually garner a £10m fine but the new approach took into consideration that the DfE enacted all the required changes to prevent future data protection breaches of this kind before <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">the ICO</a> could even issue the instruction to do so. </p><p>As a result, the department received just a formal reprimand and no fine, a punishment the ICO deemed appropriate given the department’s proactivity in remediating the issues.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Crmp8gk4ybzxEU2BqA5dcS" name="Crmp8gk4ybzxEU2BqA5dcS.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/Crmp8gk4ybzxEU2BqA5dcS.png" mos="https://cdn.mos.cms.futurecdn.net/Crmp8gk4ybzxEU2BqA5dcS.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Data governance and privacy for data leaders</strong></p><p class="fancy-box__body-text">Create your ideal governance and privacy solution</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/data-insights/369356/data-governance-and-privacy-for-data-leaders" data-original-url="/business-strategy/data-insights/369356/data-governance-and-privacy-for-data-leaders">FREE DOWNLOAD</a></p></div></div><p>“Some commentators have suggested this might be a sign of weakness, or us ‘going easy’ on government. It's not,” said Edwards at the conference.</p><p>“My job is to make sure we’re working in the areas that will have the greatest impact. This doesn’t mean always reaching for the most flashy, headline-grabbing action that comes after the fact; sometimes it’s that behind-the-scenes work, the guidance and advice that we can offer businesses to encourage compliance and to help their understanding of the law and their obligations under it."</p><p>Monetary penalties will be reserved for organisations that have the potential to harm the most people. Edwards pointed to the recent fines against catalogue retailer Easylife - one worth £130,000 for “predatory marketing calls” and another worth £1.35 million for profiling customers before illegally calling them.</p><p>This is an example, Edwards said, of a case where fines can promote compliance - hurting money-making enterprises by impeding their money-making potential.</p><h2 id="further-regulatory-changes">Further regulatory changes</h2><p>Another change to Edwards’ approach is to begin publishing all reprimands to the ICO’s website, “unless there is a good reason not to” - something it currently does not do.</p><p>This is for the purposes of promoting accountability and transparency - the public and wider economy should be aware of any transgressions and why the ICO issued the punishment it chose.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/361732/ico-fines-cabinet-office-ps500000-for-new-year-honours-data-leak" data-original-url="/security/data-breaches/361732/ico-fines-cabinet-office-ps500000-for-new-year-honours-data-leak">Cabinet Office fined £500,000 for New Year Honours data leak</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business/policy-legislation/369227/government-to-replace-gdpr-with-bespoke-british-system" data-original-url="/business/policy-legislation/369227/government-to-replace-gdpr-with-bespoke-british-system">Government reveals fresh replacement for GDPR will be a ‘bespoke, British’ system</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/marketing-comms/business-communications/368514/ico-calls-for-gov-review-into-use-of-whatsapp-and-others" data-original-url="/marketing-comms/business-communications/368514/ico-calls-for-gov-review-into-use-of-whatsapp-and-others">ICO calls for gov review into use of WhatsApp and other private communication channels</a></p></div></div><p>Non-monetary enforcement actions available to the ICO, aside from fines, include warnings (when violations are likely to be committed), reprimands (formal expressions of disapproval towards conduct when the threshold for a fine hasn’t been met), and compliance orders (instructions to offenders that changes need to be made to re-establish <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/31065/gdpr-compliance-checklist-is-your-organisation-gdpr" data-original-url="https://www.itpro.com/general-data-protection-regulation-gdpr/31065/gdpr-compliance-checklist-is-your-organisation-gdpr">compliance</a>).</p><p>Edwards also said he wanted the regulatory process to be more predictable and certain, and the increased emphasis on transparency would help inform organisations what the law requires of them.</p><p>In addition, the new approach aims to be more flexible. Tied with the ideas of certainty and predictability, Edwards believes that organisations should be free to <a href="https://www.itpro.com/technology/31754/what-is-disruptive-innovation" data-original-url="https://www.itpro.com/technology/31754/what-is-disruptive-innovation">innovate their products and services</a> with confidence that they still meet compliance criteria.</p><p>The ICO will soon be launching a new advice service dedicated to supporting organisations with their planned innovations in areas to support further investment, like new business models.</p><p>“Our advice service will offer direct, fast-paced answers and support to those looking to move quickly and innovate within the guardrails of the law,” he said. “This will do more to improve outcomes for the consumers of those services than aggressive regulatory action after the fact would, after the harm has been done. ”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/data-protection/368544/ico-crackdown-ai-recruitment-three-year-vision</link>
                                                                            <description>
                            <![CDATA[ ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rdidgNw8B7xNeEnHctVZQ5</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 14 Jul 2022 11:45:11 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:description>                                                            <media:text><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:text>
                                <media:title type="plain"><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK’s Information Commissioner’s Office (ICO) will renew its focus on regulating algorithmic biases as part of a three-year plan to tackle digital injustices and raise data awareness among businesses.</p><p>Branded ICO25, the ICO said the broad “package of actions” will help to save businesses around £100 million over the next three years. It aims to support businesses by releasing a catalogue of learning materials, a database of ICO-approved advice, and an ICO-moderated platform for organisations to discuss compliance matters and share advice.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/marketing-comms/business-communications/368514/ico-calls-for-gov-review-into-use-of-whatsapp-and-others" data-original-url="/marketing-comms/business-communications/368514/ico-calls-for-gov-review-into-use-of-whatsapp-and-others">ICO calls for gov review into use of WhatsApp and other private communication channels</a> NCSC and ICO chiefs plead with lawyers to stop making ransomware payments <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/information-commissioner/367179/ico-chief-warns-ministers-against-ditching-gdpr" data-original-url="/policy-legislation/information-commissioner/367179/ico-chief-warns-ministers-against-ditching-gdpr">ICO chief warns ministers against ditching GDPR safeguards</a></p></div></div><p>As part of the roadmap, the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">ICO</a> is applying a fresh focus on regulating <a href="https://www.itpro.com/technology/artificial-intelligence-ai/361824/how-biased-is-your-app" data-original-url="https://www.itpro.com/technology/artificial-intelligence-ai/361824/how-biased-is-your-app">algorithmic biases</a> in the benefits system alongside the of role <a href="https://www.itpro.com/machine-learning/31708/what-are-the-pros-and-cons-of-ai" data-original-url="https://www.itpro.com/machine-learning/31708/what-are-the-pros-and-cons-of-ai">artificial intelligence (AI)</a> in recruitment. There are fears, in particular, that AI-powered recruitment and hiring may discriminate against <a href="https://www.itpro.com/business-strategy/careers-training/356168/how-the-autistic-population-could-solve-the-tech" data-original-url="https://www.itpro.com/business-strategy/careers-training/356168/how-the-autistic-population-could-solve-the-tech">neurodiverse job applicants</a> as well as candidates from ethnic minorities.</p><p>The use of <a href="https://www.itpro.com/business-strategy/recruitment/361860/hired-by-machines-exploring-recruitments-machine-driven-future" target="_blank" data-original-url="https://www.itpro.com/business-strategy/recruitment/361860/hired-by-machines-exploring-recruitments-machine-driven-future">AI in recruitment</a> has been heavily criticised over the potential to discriminate against certain groups of people, largely due to a marked <a href="https://www.itpro.com/technology/artificial-intelligence-ai/358223/why-diversity-is-key-to-a-successful-ai-strategy" target="_blank" data-original-url="https://www.itpro.com/technology/artificial-intelligence-ai/358223/why-diversity-is-key-to-a-successful-ai-strategy">lack of diversity</a> when such systems are being developed. </p><p>Commenting on the strategy, Peter van der Putten, Director AI Lab, Pegasystems and assistant professor in AI at Leiden University said the ICO was right to focus on the impact of AI on material decisions, such as whether you get access to financial support or whether you're hired for a role.</p><p>“AI is an invaluable technology that is already being used by government departments, banks, insurers, telcos, utility providers and more to improve customer service for millions of consumers, but these companies cannot let AI go unchecked," he said.</p><p>"Improper use of AI in this context is particularly harmful for vulnerable groups, but it is important to realise that virtually anyone can be a victim of unwanted bias, and deserves fair and explainable automated decisions. Take age or gender discrimination for instance.</p><p>“That is because AI is as biased as the data and logic used to create it. Even if its designers have the best intentions, errors may creep in through the selection of biased data for machine learning models as well as prejudice and assumptions in built-in logic. Therefore, organisations need to make sure that the data, models and logic being used to create their algorithms is absent of prejudice as much as possible, AI powered decisions are continuously monitored for bias and material automated decisions come with complementary automated explanation facilities."</p><p>The ICO's crackdown in this area comes alongside the ongoing support of children’s privacy and a crackdown on nuisance marketing.</p><p>“Certainty and flexibility remain the two pillars of what I offer to business today, and in how we will support the successful <a href="https://www.itpro.com/policy-legislation/368448/government-replace-gdpr-with-data-reform-bill" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/368448/government-replace-gdpr-with-data-reform-bill">implementation of a new data protection law</a>,” Information Commissioner John Edwards will say in a <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/john-edwards-speech-introducing-ico25">speech</a> later today. </p><p>“Certainty in what the law requires, coupled with a predictable approach to enforcement action that allows businesses to invest and innovate with confidence. And the flexibility to reduce the cost of compliance.</p><p>“That support for business and public sector is important in itself, but it is ultimately a means to an end. We help business to help people.”</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="8ywDr2ijNoUdeD3qsTehn4" name="8ywDr2ijNoUdeD3qsTehn4.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/8ywDr2ijNoUdeD3qsTehn4.jpg" mos="https://cdn.mos.cms.futurecdn.net/8ywDr2ijNoUdeD3qsTehn4.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The challenge of securing the remote working employee</strong></p><p class="fancy-box__body-text">The IT Pro Guide to Sase and successful digital transformation</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/digital-transformation/361930/the-challenge-of-securing-the-remote-working" data-original-url="/business-strategy/digital-transformation/361930/the-challenge-of-securing-the-remote-working">FREE DOWNLOAD</a></p></div></div><p>Clarifying the £100 million figure, Edwards will say that “flexibility” the ICO refers to is related to the cost of compliance, in light of the fact he's tasked the regulator with saving businesses £100 million over the next three years in the form of opportunities for better understanding data law.</p><p>Edwards will also say he understands these <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/uk-information-commissioner-sets-out-focus-on-empowering-people-through-information">new focuses</a> represent a big change in the way the ICO approaches matters, and that some things may not work out as intended. “The proposals I set out today involve trying different approaches. Some may work well, some may not work, some may need tweaking,” he will say. “But it is absolutely clear to me that in a world of increasing demand, and shrinking resources, we simply cannot keep doing what we’ve been doing and expect the system to improve.”</p><p>The Information Commissioner also promised to use the “most punitive regulatory tools” at the organisation’s disposal against those who seek to target and exploit vulnerable groups.</p><p>The ICO has been previously criticised for <a href="https://www.itpro.com/policy-legislation/data-protection/356423/ico-lambasted-for-falling-asleep-at-the-wheel" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/data-protection/356423/ico-lambasted-for-falling-asleep-at-the-wheel">failing to investigate major data privacy cases</a> in recent years. It has also been accused of <a href="https://www.itpro.com/policy-legislation/general-data-protection-regulation-gdpr/355476/understaffed-data-regulators" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/general-data-protection-regulation-gdpr/355476/understaffed-data-regulators">failing to allocate an adequate proportion of staff</a> to tech privacy, fuelling fears that major breaches would go uninvestigated.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ The public sector will no longer face eye-watering data breach fines, ICO confirms ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/business-strategy/public-sector/368406/ico-to-reduce-fines-on-public-sector-data-breaches</link>
                                                                            <description>
                            <![CDATA[ The regulator will, however, increase the use of its wider powers like handing out warnings and reprimands ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9tGpf9L2FmDpK6reZyTPMh</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 01 Jul 2022 10:00:13 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Zach Marzouk ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/ncLkbsDMZ6b76Lc5iS6mZh.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:description>                                                            <media:text><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:text>
                                <media:title type="plain"><![CDATA[A close up image of a smartphone with the ICO webpage displayed on screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZoUhWWg8D3ay7Ce5Ux2vJR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner’s Office (ICO) has said it will take a more lenient approach to public sector organisations as part of its new three-year strategic vision.</p><p>This new strategy will see use of the Commissioner’s discretion to reduce the potential economic effect that GDPR fines can have, coupled with an approach that will focus more on sharing lessons learned and promoting good practice. The regulator said that this new strategy will be trialled over the next two years.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/368309/uk-data-reform-bill-waters-down-gdpr" data-original-url="/policy-legislation/data-protection/368309/uk-data-reform-bill-waters-down-gdpr">UK unveils Data Reform Bill, scrapping parts of GDPR and promising £1 billion in savings</a> DCMS lifts the lid on UK GDPR reforms, including ICO restructure <a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go" data-original-url="/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go">GDPR fines: Where does the money go?</a></p></div></div><p>In practice, this will mean an increased use of its wider powers, including warnings, reprimands, and enforcement notices, with fines only issued in the most serious cases, the authority revealed this week. It will also mean a number of existing fines against public sector organisations will be substantially reduced, in some cases as much as 90%.</p><p>When a fine is considered, the ICO’s decision notice will indicate the amount the fine would have attracted. It hopes this will provide information to the wider economy about the levels of penalty others can expect from similar conduct.</p><p>The regulator is also aiming to work more closely with the public ​​sector to encourage compliance with <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">data protection laws</a> and prevent harms before they happen.</p><p>“I want to ensure my office remains a pragmatic, proportionate and effective regulator focused on making a difference to people’s lives,” said John Edwards, the UK Information commissioner. “That means taking a more proactive and targeted approach with public authorities to ensure they are looking after people’s information while supporting their communities.”</p><p>The UK government has also committed to create a cross-Whitehall senior leadership group to encourage compliance with high data protection standards. The ICO is also going to engage with the Devolved Administrations and the wider public sector to determine the most effective way to deliver these improvements.</p><p>The revised approach is part of a set of initiatives known as ICO25, its new three-year strategic vision, which aim to empower organisations to innovate while using people’s data responsibly.</p><p>As part of this change, the regulator has issued a reduced fine of £78,400, down from £784,800, to Tavistock and Portman NHS Foundation Trust for disclosing 1,781 email addresses belonging to adult gender identity patients in September 2019.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="s7hnF2HF5HjCJogZeSiun4" name="s7hnF2HF5HjCJogZeSiun4.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/s7hnF2HF5HjCJogZeSiun4.png" mos="https://cdn.mos.cms.futurecdn.net/s7hnF2HF5HjCJogZeSiun4.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Understanding the economics of in-cloud data protection</strong></p><p class="fancy-box__body-text">Data protection solutions designed with cost optimisation in mind</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/cloud-computing/367728/understanding-the-economics-of-in-cloud-data-protection" data-original-url="/cloud/cloud-computing/367728/understanding-the-economics-of-in-cloud-data-protection">FREE DOWNLOAD</a></p></div></div><p>Additionally, the ICO issued a public reprimand to NHS Blood and Transplant Service, after they inadvertently released untested development code into a live system for matching transplant list patients with donated organs in August 2019. If the revised approach had not been in place, the organisation would have received a fine of £749,856.</p><p>“My office worked with both organisations to improve their <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures" target="_blank" data-original-url="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures">data protection standards</a> and practices. We used different enforcement tools but, crucially, both resulted in changes that better protect the public,” said Edwards.</p><p>This new approach follows the reveal of the UK government's <a href="https://www.itpro.com/policy-legislation/data-protection/368309/uk-data-reform-bill-waters-down-gdpr" data-original-url="https://www.itpro.com/policy-legislation/data-protection/368309/uk-data-reform-bill-waters-down-gdpr">Data Reform Bill</a>, a proposed law that will rework the General Data Protection Regulation (GDPR) to be more flexible and less stringent, according to the government. The bill is set to scrap what the government called “red tape and pointless paperwork," and will also include a restructure of the ICO.</p><p>This restructure will force the ICO to consider factors like economic growth, innovation, and competition when making its judgements, instead of solely following the letter of the law.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ MoJ faces £17.5m GDPR fine over subject access request backlog ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/data-protection/362025/moj-ps175m-fine-subject-access-request-backlog</link>
                                                                            <description>
                            <![CDATA[ The Information Commissioner's Office says the rights of data subjects are now being infringed by the processing delay ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">8kdSUVfQ23JiAXkiHTcoWP</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bN2c8M8qN5G35X3x4ZPX66-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 20 Jan 2022 12:52:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bN2c8M8qN5G35X3x4ZPX66-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A close up shot of the Ministry of Justice sign outside its headquarters in London]]></media:description>                                                            <media:text><![CDATA[A close up shot of the Ministry of Justice sign outside its headquarters in London]]></media:text>
                                <media:title type="plain"><![CDATA[A close up shot of the Ministry of Justice sign outside its headquarters in London]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bN2c8M8qN5G35X3x4ZPX66-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK's Ministry of Justice (MoJ) has been served an enforcement notice by the Information Commissioner's Office (ICO) for failing to address and respond to a growing backlog of Subject Access Requests (SARs).</p><p>The MoJ is said to have contravened Chapter 3, Article 15 of the EU and UK GDPR, and section 45 of the <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a>, and has now been ordered to develop a recovery plan that includes details of how to remedy the outstanding SARs, and "take appropriate steps" to ensure future SAR submissions are timely notified of any delays to a response.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/359915/government-to-consider-gutting-gdpr-rules" data-original-url="/policy-legislation/data-protection/359915/government-to-consider-gutting-gdpr-rules">UK government to consider gutting GDPR rules</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/31623/what-is-a-subject-access-request" data-original-url="/data-protection/31623/what-is-a-subject-access-request">What is a subject access request?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go" data-original-url="/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go">GDPR fines: Where does the money go?</a></p></div></div><p><a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">The ICO</a> said it issued the enforcement notice after considering, and agreeing, that "damage or distress is likely" as a result of the delay in SAR processing, which meant subjects were "being denied the opportunity of properly understanding what personal data may be being processed about them by the controller". Data subjects were also deemed to have been unable to exercise their statutory rights in respect to their data.</p><p>At its peak, it's believed the subject access request backlog had grown as high as 7,753.</p><p>The ICO acknowledged the difficulties faced by the MoJ, especially as pandemic restrictions limited affected its ability to process SARs. However, the "substantial number" of SARs that are out of time for compliance was "a cause of significant concern for the Commissioner," the ICO said in the <a href="https://ico.org.uk/media/action-weve-taken/enforcement-notices/4019412/the-minstry-of-justice-en-20220112.pdf">enforcement notice</a>.</p><p>It also added that "previous meetings and correspondence between the controller and commissioner have proven largely ineffective in reducing the number of outstanding SARs".</p><p>Failure to meet the demands of the enforcement notice will result in a fine of £17.5 million or 4% of its annual global turnover, whichever is higher. The MoJ has 28 days to appeal the notice.</p><p>"We take our responsibilities seriously and have set out an action plan to clear the backlog," an MoJ spokesperson told <em>IT Pro.</em>"</p><p>"The MoJ devotes significant resources to meeting these legal obligations, and we have hired extra staff to assist in clearing outstanding requests," they added. "The pandemic has had an unprecedented impact on our work, but we responded quickly and adapted ways of working to continue to provide a level of service to requestors.</p><p>"We have engaged in constructive dialogue with the ICO before and throughout the pandemic and have a clear action plan we have in place to clear the backlog."</p><h3 class="article-body__section" id="section-timeline-of-events"><span>Timeline of events</span></h3><p>The ICO originally became aware of a backlog at the MoJ on 7 January 2019, which resulted in conversations with the <a href="https://www.itpro.com/strategy/29856/data-controllers-responsibilities" data-original-url="https://www.itpro.com/strategy/29856/data-controllers-responsibilities">data controller</a> over the following year. This almost led to an enforcement notice being issued - a formal exercise of the Commissioner's powers for violations of <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures" data-original-url="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures">data protection</a> law - which was ultimately delayed due to the pandemic.</p><p>According to the ICO, the pandemic "led to a shift in Commissioner's approach to regulatory action" and saw the investigation into the MoJ paused. New societal restrictions affected the MoJ's ability to respond to the backlog of SARs, the data controller told the ICO in an October 2020 update. Urgent cases were being prioritised, such as those affecting legal proceedings, police investigations, and immigration hearings.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="twFQWGnpSuXfswsCrh4NE4" name="twFQWGnpSuXfswsCrh4NE4.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/twFQWGnpSuXfswsCrh4NE4.png" mos="https://cdn.mos.cms.futurecdn.net/twFQWGnpSuXfswsCrh4NE4.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Modern governance: The how-to guide</strong></p><p class="fancy-box__body-text">Equipping organisations with the right tools for business resilience</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/it-governance/361792/modern-governance-the-how-to-guide" data-original-url="/policy-legislation/it-governance/361792/modern-governance-the-how-to-guide">FREE DOWNLOAD</a></p></div></div><p>The ICO said contact between it and the MoJ resumed in March 2021 and by April, it became aware that the MoJ was facing 5,956 outstanding SARs to which the MoJ had only partially responded. A total of 372 of these dated back as far as 2018.</p><p>Regular progress updates from the MoJ regarding how it was addressing the backlog were then requested by the ICO and by May 2021, the backlog had grown to 6,398. The backlog grew further to 7,753 by August 2021 after the MoJ said it predicted the resumption of a full SAR service by "summer/autumn 2021". It also said that of the near-8,000 outstanding cases, 25 received no response at all and around 960 predated the pandemic.</p><p>The MoJ promised to address the pre-pandemic cases first, setting itself a deadline of 31 May 2022, after which time it "will then move forward with plans to revisit the remaining 6,772 partial response cases in the timeliest way achievable".</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Cabinet Office fined £500,000 for New Year Honours data leak ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/data-breaches/361732/ico-fines-cabinet-office-ps500000-for-new-year-honours-data-leak</link>
                                                                            <description>
                            <![CDATA[ Error led to more than 1,000 people having their names and corresponding addresses posted online ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">96VovwqhXkFrbgxtuauouu</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/tQnwjtg5RRbCuCLeA5Yns6-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 03 Dec 2021 10:40:45 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/tQnwjtg5RRbCuCLeA5Yns6-1280-80.jpg">
                                                            <media:credit><![CDATA[The Information Commissioner&#039;s Office]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The exterior of the ICO&amp;#039;s offices]]></media:description>                                                            <media:text><![CDATA[The exterior of the ICO&amp;#039;s offices]]></media:text>
                                <media:title type="plain"><![CDATA[The exterior of the ICO&amp;#039;s offices]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/tQnwjtg5RRbCuCLeA5Yns6-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner's Office (ICO)</a> has fined the Cabinet Office £500,000 for a 2020 data leak that exposed the full names and addresses of the New Year Honours recipients on its gov.uk web page.</p><p>More than 1,000 people were affected by the leak, with some complaining that they felt concerned for their personal safety. Notable inclusions in the list were Sir Elton John, Dame Olivia Newton-John, and Sir Iain Duncan Smith.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28810/how-to-react-to-a-data-breach" data-original-url="/security/28810/how-to-react-to-a-data-breach">Data breach response: How to react when your business gets hit</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" data-original-url="/data-protection/34061/what-is-the-data-protection-act-2018">What is the Data Protection Act 2018?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">What is the Information Commissioner’s Office (ICO)?</a></p></div></div><p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">ICO</a> concluded the Cabinet Office had breached the <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a> as a result, and was punished according to the rules set out by the General Data Protection Regulation (GDPR).</p><p>It was also found that the Cabinet Office failed to implement the appropriate technical and organisational measures in its IT systems to protect the data of those affected.</p><p>"When <a href="https://www.itpro.com/security/data-breaches/358455/10-ways-to-protect-your-company-from-the-next-big-data-breach" data-original-url="https://www.itpro.com/security/data-breaches/358455/10-ways-to-protect-your-company-from-the-next-big-data-breach">data breaches</a> happen, they have real life consequences," said Steve Eckersley, ICO Director of Investigations. "In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.</p><p>"The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety," he added.</p><p>“The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda."</p><p>The IT system in question was implemented in 2019 but was misconfigured, according to the ICO. It generated a .CSV file for the New Year Honours list, which included full names and corresponding home addresses, before posting it online.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="FKZ5ZUh5cB23XqcrpXfpea" name="FKZ5ZUh5cB23XqcrpXfpea.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/FKZ5ZUh5cB23XqcrpXfpea.png" mos="https://cdn.mos.cms.futurecdn.net/FKZ5ZUh5cB23XqcrpXfpea.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How to secure workloads in hybrid clouds</strong></p><p class="fancy-box__body-text">Cloud workload protection</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud/hybrid-cloud/360948/how-to-secure-workloads-in-hybrid-clouds" data-original-url="/cloud/hybrid-cloud/360948/how-to-secure-workloads-in-hybrid-clouds">FREE DOWNLOAD</a></p></div></div><p>The team responsible for generating and publishing the list were under tight deadlines, the ICO reported, and instead of fixing the system, it attempted to amend the file instead. However, each time a new file was generated, the .CSV file included full addresses.</p><p>Despite removing the file shortly after posted it online, a cached version remained accessible to the public. The ICO reported the file was accessed 3,872 times in the period of two hours and 21 minutes that it was online.</p><p>The Cabinet Office confirmed that there were no specific or written processes in place at the time to sign off documents and content containing personal data prior to being sent for publication.</p><p>The ICO acknowledged the swiftness of the Cabinet Office's <a href="https://www.itpro.com/security/28810/how-to-react-to-a-data-breach" data-original-url="https://www.itpro.com/security/28810/how-to-react-to-a-data-breach">response</a> and undertook a full incident review, which has led to operational and technical improvements, and an independent review launched into the incident.</p><p>"The Cabinet Office would like to reiterate our apology for this incident," it said in a statement to <em>IT Pro.</em> "We took action to mitigate any potential harm by immediately informing the Information Commissioner and everyone affected by the breach.</p><p>"We take the findings of the Information Commissioner very seriously, and have completed an internal review as well as implemented a number of measures to ensure this does not happen again. This includes a review of the overall security of the system, information management training and improving internal processes for how data is handled by the honours team.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO publishes new data protection standards for the adtech industry  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/data-protection/361656/ico-publishes-new-data-protection-standards-for-the</link>
                                                                            <description>
                            <![CDATA[ The new rules apply to new online advertising strategies which must place protections for users at the forefront ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bCoKY3EnQoCLy3tphCjiKA</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/dp3vwfsfpSJLQJES7D7iXe-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 25 Nov 2021 11:39:27 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/dp3vwfsfpSJLQJES7D7iXe-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[&amp;quot;Privacy&amp;quot; written atop a circuit board]]></media:description>                                                            <media:text><![CDATA[&amp;quot;Privacy&amp;quot; written atop a circuit board]]></media:text>
                                <media:title type="plain"><![CDATA[&amp;quot;Privacy&amp;quot; written atop a circuit board]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/dp3vwfsfpSJLQJES7D7iXe-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) unveiled new mandatory data protection standards for the advertising technology (adtech) industry on Thursday.</p><p>New rules apply to companies designing new methods of online advertising and stipulate data protection laws must be followed and excessive data collection must cease, in line with the UK's <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/data-insights/data-processing/354573/ico-faces-legal-action-over-failure-to-regulate-adtech" data-original-url="/data-insights/data-processing/354573/ico-faces-legal-action-over-failure-to-regulate-adtech">ICO faces legal action over ‘failure to regulate’ adtech industry</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/information-commissioner/358823/next-information-commissioner-will-correct" data-original-url="/policy-legislation/information-commissioner/358823/next-information-commissioner-will-correct">Next Information Commissioner will correct ‘imbalance’ favouring privacy rights</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/356423/ico-lambasted-for-falling-asleep-at-the-wheel" data-original-url="/policy-legislation/data-protection/356423/ico-lambasted-for-falling-asleep-at-the-wheel">Brave accuses the ICO of ‘falling asleep at the wheel’</a></p></div></div><p>The <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">ICO</a> published a Commissioner's Opinion which states data protection of users must be placed at the forefront of any advertising strategy designed by <a href="https://www.itpro.com/technology/artificial-intelligence-ai/359571/the-future-of-ai-in-advertising-and-media" data-original-url="https://www.itpro.com/technology/artificial-intelligence-ai/359571/the-future-of-ai-in-advertising-and-media">adtech</a> firms.</p><p>“Ultimately, new online advertising proposals should improve trust and confidence in the digital economy, instead of weakening it,” the Opinion reads. “Solutions should be privacy-respectful while ensuring they give due consideration to other relevant laws.”</p><p>Users will have to be given clear opportunities to receive ads without tracking, profiling, or targeting based on excessive collection of personal data, the ICO said.</p><p>Accountability throughout the entire <a href="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures" data-original-url="https://www.itpro.com/data-protection/28177/data-protection-policies-and-procedures">data collection</a> and <a href="https://www.itpro.com/strategy/29856/data-controllers-responsibilities" data-original-url="https://www.itpro.com/strategy/29856/data-controllers-responsibilities">processing</a> lifecycle is also now mandatory, with companies having to prove who is responsible for what task at each stage of the advertising strategy.</p><p>Each strategy must clearly identify the purposeful processing of personal data and consider ways to reduce harm and mitigate risks to individual users before any processing takes place.</p><p>Adtech companies must be fair and transparent about the benefits of data collection, articulating this to the users explicitly, and afford users ‘meaningful control’ over processing where possible.</p><p>The standard data collection and processing rules as set out by the Data Protection Act 2018 will also apply, such as the principle of <a href="https://www.itpro.com/technology/machine-learning/361652/ibm-unveils-world-first-machine-learning-training-method-for" data-original-url="https://www.itpro.com/technology/machine-learning/361652/ibm-unveils-world-first-machine-learning-training-method-for">data minimisation</a>.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="zXqLgU99ufE8JGYcRWws9N" name="zXqLgU99ufE8JGYcRWws9N.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/zXqLgU99ufE8JGYcRWws9N.jpg" mos="https://cdn.mos.cms.futurecdn.net/zXqLgU99ufE8JGYcRWws9N.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The Okta digital trust index</strong></p><p class="fancy-box__body-text">Exploring the human edge of trust</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/361514/the-okta-digital-trust-index" data-original-url="/policy-legislation/data-protection/361514/the-okta-digital-trust-index">FREE DOWNLOAD</a></p></div></div><p>"What we found during our ongoing adtech work is that companies are collecting and sharing a person’s information with hundreds, if not thousands of companies, about what that person is doing and looking at online in order to show targeted ads or content," said Elizabeth Denham, information commissioner at the ICO. "Most of the time, individuals are not aware that this is happening or have not given their explicit consent. This must change.</p><p>"I am looking for solutions that eliminate intrusive online tracking and profiling practices, and give people meaningful choice over the use of their personal data," she added. "My office will not accept proposals based on underlying adtech concepts that replicate or seek to maintain the status quo."</p><p>It said Google's Privacy Sandbox is currently one of the leading proposals in the industry and that the ICO is currently working with the Competition and Markets Authority (CMA) to review how the model can be applied in the UK.</p><p>Google's Privacy Sandbox aims to replace the use of third-party cookies with other technologies to enable digital advertising. The project is currently subject to <a href="https://www.itpro.com/security/privacy/358933/google-privacy-sandbox-added-to-us-antitrust-compaint" data-original-url="https://www.itpro.com/security/privacy/358933/google-privacy-sandbox-added-to-us-antitrust-compaint">antitrust allegations</a> in the US and EU as it forces advertisers to work with Google on ads.</p><p>The ICO <a href="https://www.itpro.com/policy-legislation/33889/ico-claims-adtech-industry-violating-data-protection-laws" data-original-url="https://www.itpro.com/policy-legislation/33889/ico-claims-adtech-industry-violating-data-protection-laws">drew attention to failings in the adtech industry in 2019</a> saying it found massive illegality in the space with numerous violations of data protection laws, particularly with real-time bidding.</p><p>Despite this, the data regulator was <a href="https://www.itpro.com/data-insights/data-processing/354573/ico-faces-legal-action-over-failure-to-regulate-adtech" data-original-url="https://www.itpro.com/data-insights/data-processing/354573/ico-faces-legal-action-over-failure-to-regulate-adtech">threatened with legal action</a> from the Open Rights Group alleging it had failed to enforce data laws against adtech firms falling foul to data laws.</p><p>The threat of legal proceedings <a href="https://www.itpro.com/policy-legislation/information-commissioner/358402/ico-restarts-adtech-probe-following-threats-of" data-original-url="https://www.itpro.com/policy-legislation/information-commissioner/358402/ico-restarts-adtech-probe-following-threats-of">prompted the ICO to restart its probe into the industry</a> after it was initially paused, saying it didn’t want to put undue pressure on the industry as the COVID-19 pandemic started to take hold in the UK.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Celebrity data leaked after ransomware attack on London's Graff jewellers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/ransomware/361409/london-jeweller-graff-conti-ransomware-celebrity-leak</link>
                                                                            <description>
                            <![CDATA[ Russia-based Conti ransomware group is demanding tens of millions in cryptocurrency ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">fW8y9TWrcQgUcKbXpFb1Za</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VqYmnwSEbEgXgDERk5hYxa-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 01 Nov 2021 12:52:42 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VqYmnwSEbEgXgDERk5hYxa-1280-80.jpg">
                                                            <media:credit><![CDATA[Graff store in London]]></media:credit>
                                                                                                                                                                        <media:description><![CDATA[Graff store in London]]></media:description>                                                            <media:text><![CDATA[Graff store in London]]></media:text>
                                <media:title type="plain"><![CDATA[Graff store in London]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VqYmnwSEbEgXgDERk5hYxa-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>London-based diamond specialist Graff has reportedly been hit by a ransomware attack, prompting an investigation from the Information Commissioner's Office (ICO).</p><p>The attack is believed to have been carried out by Conti, an infamous Russia-based ransomware group that has also been blamed for a recent <a href="https://www.itpro.com/security/ransomware/360988/cisa-fbi-and-nsa-issue-a-conti-ransomware-advisory" data-original-url="https://www.itpro.com/security/ransomware/360988/cisa-fbi-and-nsa-issue-a-conti-ransomware-advisory">uptick in attacks</a> across the US.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/360511/resentful-hacker-exposes-conti-ransomware-gangs-tools" data-original-url="/security/ransomware/360511/resentful-hacker-exposes-conti-ransomware-gangs-tools">Resentful hacker exposes Conti ransomware gang’s tools</a> What is ransomware? <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/361250/how-not-to-get-hit-by-ransomware-in-2022" data-original-url="/security/ransomware/361250/how-not-to-get-hit-by-ransomware-in-2022">How not to get hit by ransomware in 2022</a></p></div></div><p>A total of 69,000 documents have been leaked on the dark web already, a number which represents just 1% of the total files Conti has stolen, the hacking group claimed. The list of victims includes high-profile names such as ex-footballers David Beckham and Frank Lampard, former president Donald Trump, actors Tom Hanks and Samuel L Jackson, and disgraced businessman Sir Philip Green, according to the <em>Mail on Sunday,</em> which first reported the story.</p><p>“We have received a report from Graff Diamonds Limited regarding a ransomware attack," said the ICO, in an email to <em>IT Pro</em>. "We will be contacting the organisation to make further enquiries in relation to the information that has been provided."</p><p>It's believed 11,000 of the company's customers may be affected, 600 of which are UK nationals, according to the <em>Mail on Sunday</em>. Information such as client lists, invoices, receipts, and credit notes were included in the hack.</p><p>In some cases, customer names and addresses used for billing and shipping were included, and in other cases details of what the customer bought - and the cost of said items - were leaked online.</p><p>Conti is believed to be demanding a sum in the tens of millions in order to prevent the further release of customer information, however Graff has said it has been able to rebuild and restart its systems with no permanent loss of customer data.</p><p>"Regrettably we, in common with a number of other businesses, have recently been the target of a sophisticated – though limited – cyber attack by professional and determined criminals," said Graff in a statement. 'We were alerted to their intrusive activity by our security systems, allowing us to react swiftly and shut down our network. We notified, and have been working with, the relevant law enforcement agencies and the ICO.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TDddJPsRCmdrr35SdPri7g" name="TDddJPsRCmdrr35SdPri7g.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TDddJPsRCmdrr35SdPri7g.jpg" mos="https://cdn.mos.cms.futurecdn.net/TDddJPsRCmdrr35SdPri7g.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How to reduce the risk of phishing and ransomware</strong></p><p class="fancy-box__body-text">Top security concerns and tips for mitigation</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/360247/how-to-reduce-the-risk-of-phishing-and-ransomware" data-original-url="/security/ransomware/360247/how-to-reduce-the-risk-of-phishing-and-ransomware">FREE DOWNLOAD</a></p></div></div><p>'We have informed those individuals whose personal data was affected and have advised them on the appropriate steps to take."</p><p>Conti's recent surge in activity prompted the US' CISA, FBI, and NSA to release a <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-265a">joint advisory</a> to US and international businesses alerting them to the group's most common attack methods.</p><p>These include <a href="https://www.itpro.com/security/29093/what-is-phishing" data-original-url="https://www.itpro.com/security/29093/what-is-phishing">spearphishing campaigns</a>, exploiting stolen or weak remote desktop protocol (RDP) credentials, fake software promoted though web adverts, and common vulnerabilities in external assets.</p><p>The attack follows a string of major raids on international businesses attributed to Conti. Nokia subsidiary SAC Wireless <a href="https://www.itpro.com/mobile/mobile-phones/360678/nokia-subsidiary-reveals-data-breach-following-conti-ransomware-raid" data-original-url="https://www.itpro.com/mobile/mobile-phones/360678/nokia-subsidiary-reveals-data-breach-following-conti-ransomware-raid">said</a> it had become victim to a Conti ransomware attack in June, while 16 US healthcare and first responder organisations <a href="https://www.itpro.com/security/ransomware/359646/16-us-health-and-first-responder-organisations-targeted-with-conti" data-original-url="https://www.itpro.com/security/ransomware/359646/16-us-health-and-first-responder-organisations-targeted-with-conti">were also targeted</a> just one month prior.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO launches AI risk assessment toolkit for businesses ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/information-commissioner/360309/ico-launches-ai-and-data-protection-tool-kit</link>
                                                                            <description>
                            <![CDATA[ The watchdog is calling for organisations to test its beta data assessment package on live AI applications ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qTpe6MVjL3hBCBoRm3Mqc3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/KH4hUZ5X4rZjXPGdVjFGsP-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 21 Jul 2021 10:25:01 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Bobby Hellard ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/bsR2tHSyVKUoyXZF5pNsDA.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/KH4hUZ5X4rZjXPGdVjFGsP-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The ICO&amp;#039;s website on a mobile phone]]></media:description>                                                            <media:text><![CDATA[The ICO&amp;#039;s website on a mobile phone]]></media:text>
                                <media:title type="plain"><![CDATA[The ICO&amp;#039;s website on a mobile phone]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/KH4hUZ5X4rZjXPGdVjFGsP-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" target="_blank" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico#:~:text=The%20Information%20Commissioner's%20Office%20(ICO)%20is%20the%20UK's%20data%20protection,Data%20Protection%20Regulation%20(GDPR).">The Information Commissioner's Office</a> (ICO) is launching a risk assessment toolkit for businesses so they can check if their use of artificial intelligence (AI) systems breaches data protection laws.</p><p>The AI and Data Protection Risk Assessment Toolkit, available in beta, draws upon the <a href="https://www.itpro.com/technology/32405/ico-appoints-in-house-expert-to-investigate-ai-effect-on-data-privacy" target="_blank" data-original-url="https://www.itpro.com/technology/32405/ico-appoints-in-house-expert-to-investigate-ai-effect-on-data-privacy">regulator's previously published guidance on AI</a>, as well as other publications provided by the Alan Turing Institute. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/strategy/28181/what-is-ai" data-original-url="/strategy/28181/what-is-ai">What is AI?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">What is the Information Commissioner’s Office (ICO)?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/business-operations/33853/ibm-to-snuff-out-ai-bias-with-updated-watson-openscale" data-original-url="/business-operations/33853/ibm-to-snuff-out-ai-bias-with-updated-watson-openscale">IBM to snuff out AI bias with updated Watson OpenScale</a></p></div></div><p>The toolkit contains risk statements that organisations can use while processing personal data to understand the implications this can have for the rights of individuals. It will also provide suggestions for best practices that companies can put in place to manage and mitigate risks and ensure they're complying with data protection laws. </p><p>It's based on an auditing framework, according to the ICO, which was developed by its internal assurance and investigation teams <a href="https://www.itpro.com/policy-legislation/33256/ico-seeks-expert-input-on-ai-regulation" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/33256/ico-seeks-expert-input-on-ai-regulation">following a call for help from industry leaders back in 2019</a>. </p><p>The framework provides a clear methodology to audit AI applications and ensures they process personal data in compliance with the law. The ICO said that if an organisation is using AI to process personal data, then by using its toolkit, it can have high assurance that it is complying with data protection legislation.</p><p>"We are presenting this toolkit as a beta version and it follows on from the successful launch of the alpha version in March 2021," said Alister Pearson, the ICO's Senior Policy Officer for Technology and Innovation Service. "We are grateful for the feedback we received on the alpha version. We are now looking to start the next stage of the development of this toolkit.</p><p>"We will continue to engage with stakeholders to help us achieve our goal of producing a product that delivers real-world value for people working in the AI space. We plan to release the final version of the toolkit in December 2021."</p><p>The ICO has urged anyone interested in testing the toolkit on a live AI application to get in contact with the regulator via email (AI@ico.org.uk).</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ MPs turn on the ICO over contact-tracing fiasco ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/information-commissioner/356845/mps-turn-on-ico-over-contact-tracing-system</link>
                                                                            <description>
                            <![CDATA[ Open Rights Group says there is "something rotten at the heart of the ICO" for not acting on the government's "unlawful behaviour" ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">aRwmH7HoBUb8sXKkQXrAx</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/cQGc83TDRDinVdnAQW5Vrc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 21 Aug 2020 09:20:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Bobby Hellard ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/bsR2tHSyVKUoyXZF5pNsDA.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/cQGc83TDRDinVdnAQW5Vrc-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[NHS app]]></media:description>                                                            <media:text><![CDATA[NHS app]]></media:text>
                                <media:title type="plain"><![CDATA[NHS app]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/cQGc83TDRDinVdnAQW5Vrc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>More than 20 MPs across four political parties have accused the UK's data regulator of failing to hold the government to account over privacy failures in the NHS Test and Trace system. </p><p>The politicians want the Information Commissioner Elizabeth Denham to consider fining the government after it admitted that it failed to conduct a legally required impact assessment on privacy, according to <a href="https://www.theguardian.com/uk-news/2020/aug/21/mps-criticise-privacy-watchdog-information-commissioner-nhs-test-and-trace-data" target="_blank"><em>The Guardian</em></a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" data-original-url="/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">What is the Information Commissioner’s Office (ICO)?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app" data-original-url="/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app">UK government to launch coronavirus 'contact tracking' app</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/356503/government-admits-breaking-gdpr-laws-in-nhs-track-and" data-original-url="/policy-legislation/data-protection/356503/government-admits-breaking-gdpr-laws-in-nhs-track-and">UK gov admits Track and Trace scheme 'breaches GDPR’</a></p></div></div><p>A letter signed by 22 MPs suggests the government should receive a penalty "if it fails to adhere to the standards which the ICO is responsible for upholding".</p><p>Liberal Democrat MP Daisy Cooper, one of the letter's signatories, said the government had "seemingly played fast and loose with data protection measures" during the pandemic. </p><p>"The public needs a data regulator with teeth: the ICO must stop sitting on its hands and start using its powers - to assess what needs to change and enforce those changes - to ensure that the government is using people's data safely and legally," she said.</p><p>The letter was arranged by the Open Rights Group, which <a href="https://www.itpro.com/security/privacy/355867/open-rights-group-legal-challenge-test-and-trace" target="_blank" data-original-url="https://www.itpro.com/security/privacy/355867/open-rights-group-legal-challenge-test-and-trace">successfully forced the government to admit its failure to perform a data protection impact assessment</a>. It features signatures from the Labour, the Lib Dems, Green and Scottish National Parties. </p><p>"There is something rotten at the heart of the ICO that makes them tolerate government's unlawful behaviour," said Jim Killock, executive director of the Open Rights Group.</p><p>"The ICO is a public body, funded by the taxpayers, and accountable to parliament. They must now sit up, listen and act. As a regulator, ICO must ensure that the government upholds the law."</p><p>In July, the government conceded that its <a href="https://www.itpro.com/policy-legislation/data-protection/356503/government-admits-breaking-gdpr-laws-in-nhs-track-and" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/data-protection/356503/government-admits-breaking-gdpr-laws-in-nhs-track-and">contract-tracing programme had been operating unlawfully</a> since it launched on 28 May. In a letter to campaigners, a government solicitor stated that NHS Track and Trace was developed at such pace and scale that it wasn't anywhere close to a primary focus.</p><p>"The Johnson government brought this programme forward more quickly than was practical, and we are all paying the consequences. Privacy is fundamental to trust," said Clive Lewis, the Labour MP for Norwich South.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO to relax GDPR enforcement during coronavirus economic downturn ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/policy-legislation/general-data-protection-regulation-gdpr/355337/ico-will-reduce-gdpr-fines-due-to</link>
                                                                            <description>
                            <![CDATA[ Fines for data breaches likely to be much lower until organisations can recover ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iH9wi4wzhXKWA3J4hwVy9t</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UHVV7j2Tce4uFVgsdLZyjV-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 16 Apr 2020 09:38:43 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UHVV7j2Tce4uFVgsdLZyjV-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[ICO logo]]></media:description>                                                            <media:text><![CDATA[ICO logo]]></media:text>
                                <media:title type="plain"><![CDATA[ICO logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UHVV7j2Tce4uFVgsdLZyjV-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The UK data regulator has said it will adopt a lighter touch while organisations weather the economic effects of COVID-19, meaning fewer investigations and reduced fines.</p><p>When issuing fines for <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" target="_blank" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a> and GDPR breaches, the <a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico" target="_blank" data-original-url="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico">Information Commissioner’s Office (ICO)</a> will now take into account whether an organisation’s financial difficulties result from the coronavirus crisis.</p><p>As such, businesses found to have committed <a href="https://www.itpro.com/data-protection/28020/data-protection-principles" target="_blank" data-original-url="https://www.itpro.com/data-protection/28020/data-protection-principles">data protection</a> violations may be given longer than usual to rectify breaches that predate the crisis, where the crisis has affected its ability to put things right.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go" data-original-url="/general-data-protection-regulation-gdpr/34665/gdpr-where-does-the-fine-money-go">GDPR fines: Where does the money go?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m" data-original-url="/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m">Data protection fines hit £100m during first 18 months of GDPR</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/general-data-protection-regulation-gdpr/31025/gdpr-fines-how-high-are-they-and-how-can-you-avoid" data-original-url="/general-data-protection-regulation-gdpr/31025/gdpr-fines-how-high-are-they-and-how-can-you-avoid">GDPR fines: How high are they, and how can you avoid them?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/data-breaches/354930/virgin-media-likely-to-face-maximum-gdpr-fine-following-data-leak" data-original-url="/security/data-breaches/354930/virgin-media-likely-to-face-maximum-gdpr-fine-following-data-leak">Virgin Media 'likely to face maximum GDPR fine' following data leak</a></p></div></div><p>The regulator will also reduce the level of fines it issues, <a href="https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf" target="_blank">according to fresh guidance</a>, meaning we aren’t likely to fines of the same scale as those levied against British Airways and Marriott last year.</p><p>BA and Marriott were each delivered notices of intent to fine <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/33972/british-airways-faces-record-183m-ico-gdpr-fine" target="_blank" data-original-url="https://www.itpro.com/general-data-protection-regulation-gdpr/33972/british-airways-faces-record-183m-ico-gdpr-fine">£183 million</a> and <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/33989/marriott-fined-99m-for-2018-data-breach" target="_blank" data-original-url="https://www.itpro.com/general-data-protection-regulation-gdpr/33989/marriott-fined-99m-for-2018-data-breach">£99 million</a> in 2019 for data breaches committed after GDPR came into force. The ICO has prolonged the collection of these fines to May 2020, however, after several delays.</p><p>“We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures,” said the Information Commissioner Elizabeth Denham. “Against this backdrop, it is right that we must adjust our regulatory approach.</p><p>“It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation and supporting the UK as it steps forward in the global economy.”</p><p>The COVID-19 pandemic has <a href="https://www.itpro.com/business-strategy/digital-transformation/355152/it-pro-panel-coping-with-covid-19" target="_blank" data-original-url="https://www.itpro.com/business-strategy/digital-transformation/355152/it-pro-panel-coping-with-covid-19">affected different kinds of organisations in different ways</a>, with many struggling to stay in business, while others are migrating their workforce to <a href="https://www.itpro.com/agile-working/31887/how-do-i-best-support-my-remote-workers" target="_blank" data-original-url="https://www.itpro.com/agile-working/31887/how-do-i-best-support-my-remote-workers">remote working patterns</a>.</p><p>The data regulator’s intervention suggests it sees its role as one that’s dynamic and responsive to the wider economic situation, and that its priority is not to financially cripple businesses who violate the DPA.</p><p>Some things will remain the same, such as a limit of 72 hours being given for organisations to report a data breach, although guidance suggests there may be some leeway, because “the current crisis may impact this”.</p><p>When conducting investigations, moreover, the ICO will act in the context of the public health emergency and take into account the financial and staffing impact of the crisis on every business it examines.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="Xc7EaCG9cbXstGjH8MnEFb" name="Xc7EaCG9cbXstGjH8MnEFb.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/Xc7EaCG9cbXstGjH8MnEFb.jpg" mos="https://cdn.mos.cms.futurecdn.net/Xc7EaCG9cbXstGjH8MnEFb.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Don’t just collect data, innovate with it.</strong></p><p class="fancy-box__body-text">Removing the barriers to the experience economy</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/marketing-comms/customer-experience-cx/354045/dont-just-collect-data-innovate-with-it" data-original-url="/marketing-comms/customer-experience-cx/354045/dont-just-collect-data-innovate-with-it">FREE DOWNLOAD</a></p></div></div><p>In practice, this means a reduction in the use of formal powers to compel organisations to provide evidence, and allowing longer periods for them to respond. The ICO will also conduct fewer investigations overall, focussing its attention instead on those circumstances which suggest serious non-compliance.</p><p>In addition, the ICO may not act against organisations that fail to pay or renew data protection fees if this is successfully linked with the economic consequences of COVID-19.</p><p>All audit work, meanwhile, has been suspended, and all regulatory action in connection with outstanding information request backlogs has also been paused. Businesses have also given some leeway on fulfilling Subject Access Requests (SARs), with the regulator noting that staff may need to prioritise other work during the crisis.</p><p>By watering down these considerations for action, and offering more flexibility for businesses that don’t stick by the rules, however, the ICO leaves itself open to the accusation it’s softening the deterrent against breaching GDPR.</p><p>However, global co-head of the privacy and cyber security practice at Hogan Lovells, Eduardo Ustaran, argues the ICO is simply providing reassurance at a time of great uncertainty.</p><p>“The ICO is not saying that it will not fulfil its regulatory duties or enforce the law, but that it will take into account the hardships that many organisations are facing when undertaking those duties,” he said.</p><p>“It would be a mistake to think that the regulator's words mean that this is a "free for all" scenario and extremely disingenuous of anyone to do so. As ever, data protection law needs to be looked at through the lens of common sense, and today that means taking into account the effect that the coronavirus crisis is having on everything.”</p><p>He added it’s clear the ICO won’t stop “doing their job”, and that the organisations will continue to take firm action against those looking to exploit the situation by misusing personal information.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ What is GDPR? Everything you need to know, from compliance to fines ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know</link>
                                                                            <description>
                            <![CDATA[ What is GDPR and other questions answered in our complete guide to the data regulation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">692KFisbfsCEE5Un1UWBf7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Me3DZ25xfDSc9Jp3UvqQpS-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 16 Oct 2019 16:30:00 +0000</pubDate>                                                                                                                                <updated>Thu, 08 Aug 2024 10:51:23 +0000</updated>
                                                                                                                                            <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                <author><![CDATA[ keumars.afifi-sabet@futurenet.com (Keumars Afifi-Sabet) ]]></author>                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                        <dc:contributor><![CDATA[ David Howell ]]></dc:contributor>
                                                                                                                                                                                    <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Me3DZ25xfDSc9Jp3UvqQpS-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Facebook logo on a phone in front of a large background with Cambridge Analytica]]></media:description>                                                            <media:text><![CDATA[The Facebook logo on a phone in front of a large background with Cambridge Analytica]]></media:text>
                                <media:title type="plain"><![CDATA[The Facebook logo on a phone in front of a large background with Cambridge Analytica]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Me3DZ25xfDSc9Jp3UvqQpS-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/"><u>General Data Protection Regulation</u></a> (GDPR) came into force on 25 May 2018 to give individuals more control over their own data and impose strict limitations on how organizations can use personal information.</p><p>In an era where personal data has massive value to businesses, how this information is collected, stored, processed, and shared is now governed by the core principles of GDPR. Within the European Union, these principles are enforced by data regulators, and within the UK by the ICO (<a href="https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico"><u>Information Commissioner&apos;s Office</u></a>).</p><p>Until GDPR, how businesses use the personal data of their customers was largely unregulated. Data scandals such as the <a href="https://www.itpro.com/data-protection/30792/cambridge-analytica-facebook-scandal"><u>Cambridge Analytica</u></a> incident showed that companies could, if unchecked, use this information to influence behaviour without the express permission of the person who owns that data.</p><p>GDPR helps to clarify how businesses and organizations should collect personal data and where this should be stored, including for businesses trading across national borders. The regulation applies to all businesses operating across each EU Member State, and to any business processing data belonging to an EU citizen. </p><p>The regulation also brings much tougher sanctions for those businesses found to have fallen foul of the rules. Relevant data regulators now have the power to fine a business up to €20 million, or 4% of global annual turnover, whichever is higher.</p><p>The UK is in a somewhat unique position given its previous relationship with the EU. The UK was developing its own data protection legislation in line with GDPR as part of its commitment as an EU Member State. Following Brexit, the UK continued this work in order to achieve adequacy status with the EU and maintain vital data flows. The result was the Data Protection Act 2018, which became the mechanism through which GDPR was incorporated into UK law - hence why it&apos;s often referred to as UK GDPR.</p><p>So long as businesses in the UK fully comply with the Data Protection Act 2018, your business will also be fully compliant with GDPR.</p><h2 class="article-body__section" id="section-why-was-gdpr-implemented"><span>Why was GDPR implemented?</span></h2><p>Over the course of the last quarter-century, the web and the movement of data has cemented itself as a fixture in the operations of countless businesses. The rise of social media platforms, which host and exhibit vast amounts of personal data, have also called into question the need for a set of data protection laws that are fit-for-purpose in the modern age.</p><p>It’s clear why rules such as those outlined with GDPR were required, given how some of the world’s biggest tech companies conduct their business. Several platforms, for many years, have offered services that are free to use but request personal and private data from their users, which are then processed and monetised. People aren’t paying when they use Google’s search engine - but their actions and movements are recorded, and converted into data points. These are seen as being very valuable for third parties and are especially sought-after for purposes such as targeted advertising</p><p>In the past, this type of data collection was often masked by unclear tick boxes or opt-in buttons. You might not even remember agreeing to them, and you almost certainly wouldn't have read the associated terms and conditions, but its the reason you receive emails that aren't completely in line with your interests.</p><p>Perhaps the most egregious example of data misuse was <a href="https://www.itpro.com/data-protection/30792/cambridge-analytica-facebook-scandal" target="_blank" data-original-url="https://www.itpro.com/data-protection/30792/cambridge-analytica-facebook-scandal">Facebook&apos;s Cambridge Analytica scandal</a>, which dominated news headlines in early 2018. In that case, user data was found to have been improperly shared with a third party app, which then used this to target users with advert campaigns said to influence the outcome of the 2016 US election.</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="LKz9bWBZf2hJRQib9LuxFA" name="" alt="The Facebook logo on a phone in front of a large background with Cambridge Analytica" src="https://cdn.mos.cms.futurecdn.net/LKz9bWBZf2hJRQib9LuxFA.jpg" mos="https://cdn.mos.cms.futurecdn.net/LKz9bWBZf2hJRQib9LuxFA.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>A separate aim of GDPR is to make it easier and cheaper for companies to comply with data protection rules. The EU&apos;s 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. This meant that data protection laws were inconsistent across the bloc, making data transfers overly cumbersome. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes GDPR will not only create smooth data flows but also collectively save companies £2.3 billion a year.</p><h2 class="article-body__section" id="section-when-did-gdpr-come-into-effect"><span>When did GDPR come into effect?</span></h2><p>GDPR came into effect on 25 May 2018, applying automatically to all member states and any international organisation that deals with customers and clients that are residents of the EU. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation instead, it applied automatically.</p><p>With the UK now preparing to leave the European Union, the UK has also introduced new data protection legislation under the <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018" target="_blank" data-original-url="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a>. This new act covers certain provisions that are not part of GDPR, such as processing relating to immigration and automatic processing in public bodies. GDPR will be implemented into UK law as part of the European Union (Withdrawl) Act, and will sit alongside the DPA 2018 going forward. This has been necessary in order to demonstrate the UK has robust enough data protection laws in place to protect EU data - needed in order to secure an adequacy agreement with the EU post-Brexit.</p><h2 class="article-body__section" id="section-who-does-the-gdpr-apply-to"><span>Who does the GDPR apply to?</span></h2><p>If you don't think you need to respect the GDPR legislation, you're likely to find yourself in hot water sooner or later. Whether your business operates with clients in the EU or outside it, it's vital you respect the rules and make sure you're compliant with regulations.</p><p>Pretty much every business must comply with the EU's data laws, even if they're based in the US. This is because most companies have at least some data belonging to EU citizens stored on their servers. In order to process that data, the organisation must comply with GDPR principles.</p><p>However, if you truly have no dealings with the EU, you can avoid having to comply using a traffic filter. By blocking any EU traffic to your website, you can make sure that only non-EU traffic is allowed to your website and only those outside Europe can enter their details onto your site.</p><p>It obviously a technique only relevant for businesses that do not need contact with EU citizens, such as US-based news sources. The <em>LA Times</em> is one company that has implemented this GDPR avoidance scheme.</p><h2 class="article-body__section" id="section-what-are-data-controllers-and-data-processors"><span>What are data controllers and data processors?</span></h2><p>Every business operates as either a <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/"><u>data controller</u></a> or <a href="https://www.itpro.com/business-operations/31681/what-is-data-processing"><u>data processor</u></a>, and often both at the same time. </p><p><strong>Data controllers</strong></p><p>A data controller is responsible for determining how and why data is collected, and for establishing how data should be processed. This means a controller could be any organization, from a high street retailer to a global manufacturing giant to a charity. Although they are ultimately responsible for how the data is handled, they are not necessarily the collector of that data. </p><p>Your business&apos; data controller must show that your company has <a href="https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/the-principles/lawfulness-fairness-and-transparency/#:~:text=You%20must%20identify%20valid%20grounds,a%20way%20that%20is%20fair."><u>lawfully</u></a> collected personal data. What &apos;lawful&apos; means to your business must be defined carefully as it can be interpreted. If your business is unsure, consulting the ICO for clarity is essential to avoid what could be potentially heavy fines.</p><p>Unlike older data protection laws, the controller and the processor are jointly liable for financial penalties in case of a data breach or if the processor is found to have handled data illegally.</p><p><strong>Data processor</strong></p><p>Data processors are any entities that &apos;process&apos; data on behalf of a data controller. <a href="https://www.itpro.com/business-operations/31711/what-is-a-managed-it-service">Managed service providers (MSPs)</a> are one of the most common third-party data processors you&apos;re likely to encounter, however a data processor can also exist within the same company as a controller.</p><p>Data processors have their own compliance requirements, including maintaining robust records of their processing activities, however they are required to only process data within the scope established by the data controller.</p><p>It&apos;s important to note that what dictates whether an entity is a controller or processing is entirely dependent on the relationship that entity has with the data. In some cases, a business may be a data controller while simultaneously providing data processing services for other companies. Likewise, a data processor can also be a controller for another set of data. </p><p>For example, every business is considered a data controller in the context of employee data.</p><h2 class="article-body__section" id="section-how-can-i-process-data-under-the-gdpr"><span>How can I process data under the GDPR?</span></h2><p>GDPR states that controllers must make sure it's the case that personal data is processed lawfully, transparently, and for a specific purpose.</p><p>That means people must understand why their data is being processed, and how it is being processed, while that processing must abide by GDPR rules.</p><h2 class="article-body__section" id="section-how-do-i-get-consent-under-the-gdpr"><span>How do I get consent under the GDPR?</span></h2><p>Consent is at the core of the changes in how data is collected. Gone are the days when your company could assume consent to collect and use a customer&apos;s data. </p><p>Consent must be an active, affirmative action by the data subject. For example, your business can&apos;t offer a pre-ticked box for collecting personal data. The owner of that information must physically give their consent, which, in turn, must be recorded by your business.</p><p>Individuals have the right to withdraw consent and the right to be forgotten. There can be various reasons for this, but whatever these are, GDPR compels your business to delete this information and inform any other parties that are using this data to also delete the information from their systems.</p><p>Consent is generally thought of as being the <a href="https://www.itpro.com/strategy/29644/irwin-mitchell-consent-will-be-a-weak-legal-basis-for-data-processing-under-gdpr" target="_blank" data-original-url="https://www.itpro.com/strategy/29644/irwin-mitchell-consent-will-be-a-weak-legal-basis-for-data-processing-under-gdpr">weakest legal basis for processing data</a>, as consent can be removed at any time and thus grind processing to a halt. Unless your business is involved with media or marketing (or those similar industries where consent is required), consent should be your last option.</p><h2 class="article-body__section" id="section-what-counts-as-personal-data-under-the-gdpr"><span>What counts as personal data under the GDPR?</span></h2><p>The type of data that falls under GDPR has also been expanded. Generally, any data that can identify an individual now comes under GDPR, including data such as IP addresses. Pseudonymized personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.</p><p>This includes:</p><ul><li>Names</li><li>Addresses</li><li>An identification number</li><li>Location data</li><li>Anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person</li></ul><h2 class="article-body__section" id="section-when-can-people-access-the-data-we-store-on-them"><span>When can people access the data we store on them?</span></h2><p>The new data protection laws strengthened one key aspect of the legislation that gives citizens the right to access the data organisations hold. Anybody, under GDPR, can submit a <a href="https://www.itpro.com/data-protection/31623/what-is-a-subject-access-request" target="_blank" data-original-url="https://www.itpro.com/data-protection/31623/what-is-a-subject-access-request">subject access request (SAR)</a> to an organisation. This data controller will then have 30 working days in which to provide a full response.</p><p>The provision was already part of UK law under the Data Protection Act 1998, but the time period stood at 40 working days. Failure to comply with the reduced windows also exposes companies to regulatory action under the stricter terms of the GDPR. Twitter, for example, was <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/32141/twitter-faces-gdpr-probe-for-refusing-to-comply-with">subject to a GDPR investigation</a> for failing to provide users with the information they requested under this provision. The rule only applies, however, if the requests are deemed reasonable, as there are certain exemptions.</p><p>The data protection laws say controllers and processors must identify clearly how users' data is collected, what it's used for, and how it's processed. Any communications outlining this information, moreover, must be in clear and plain English so there's no risk of confusion on the part of users.</p><p>Submitting SARs are, in effect, a mechanism individuals can use to express their power under the law, to hold companies to account over how they use their data. It gives them the right to understand how their information is handled, and for what reasons. Customers can also ask for data to be removed, completed or brought up to date at any time if deemed incorrect.</p><h2 class="article-body__section" id="section-what-is-the-right-to-be-forgotten"><span>What is the Right to be Forgotten?</span></h2><p>GDPR makes it clear that people can have their data deleted at any time if it's not relevant anymore - i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don't want it collected anymore.</p><p>The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.</p><h2 class="article-body__section" id="section-how-to-report-a-data-breach-under-gdpr"><span>How to report a data breach under GDPR</span></h2><p>Under GDPR, a data breach constitutes any breach of security that leads to the accidental or unlawful loss, destruction, alteration, disclosure of, or unauthorised access to personal data.</p><p>However, only those breaches that are likely to lead to the infringement of the rights and freedoms of individuals are required to be <a href="https://ico.org.uk/for-organisations/report-a-breach/"><u>reported to the ICO</u></a>; organizations are not required to report every incident.</p><p>Regardless of the nature of the breach, an organization must take steps to contain it and establish its severity. As part of this process, the company must undertake a risk <a href="https://ico.org.uk/for-organisations/report-a-breach/pdb-assessment" target="_blank">self-assessment</a>.</p><p>If a data processor experiences a breach, it is required to inform the controller as soon as it becomes aware of the incident. Establishing these obligations as part of a contract is important, as both the controller and the processor will be liable for any failure to communicate the details of a data breach.</p><p>Affected parties have up to 72 hours to inform the ICO if they believe the breach risks the rights and freedoms of data subjects. Any failure to adhere to this timeframe will need to be justified. Affected parties can call the ICO on 0303 123 1113. They can also report a breach online, but only if they feel they have already dealt with the incident appropriately.</p><p>When reporting the breach, the following information must be provided:</p><ul><li>A description of the breach, including (if possible) the approximate number of people affected and the types and volume of personal records involved</li><li>The contact details of the affected organisation's data protection officer, or those of a contact that can provide further information</li><li>A description of the potential consequences of the breach</li><li>A description of the various measures the organisation has taken to deal with and mitigate the effects of the breach</li></ul><p>Some of this information may not be available within the 72-hour timeframe, so <strong>Article 33(4)</strong> allows for affected parties to provide details in phases, provided this is done without undue delay. However, any delay will need to be explained, and the party is still required to inform the ICO of a breach within 72 hours if deemed severe enough.</p><h2 class="article-body__section" id="section-what-are-the-fines-for-breaches-of-gdpr"><span>What are the fines for breaches of GDPR?</span></h2><p>GDPR massively increases the ceiling of fines. First of all, your organisation faces a penalty of up to <strong>2% of their annual turnover, or £10 million</strong>, for failing to report a data breach to the ICO within 72 hours of becoming aware of it. </p><p>That initial contact should outline the nature of the data that&apos;s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you&apos;ve already actioned or plan to action in response. It&apos;s worth noting that the window is a fixed 72 hours after the discovery of an incident, and not 72 working hours, <a href="https://www.itpro.com/information-commissioner/31912/companies-over-reporting-data-breaches-as-ico-takes-500-calls-per" target="_blank" data-original-url="https://www.itpro.com/information-commissioner/31912/companies-over-reporting-data-breaches-as-ico-takes-500-calls-per">as some companies have been led to believe</a>.</p><p>Then there is the fine for a breach of personal data itself. Data breaches under GDPR could be punished by a maximum fine of 4% of your organisation&apos;s annual turnover, or £20 million, whichever is higher. In the UK, this translates to £17.5 million.</p><p>You can read <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/31025/gdpr-fines-how-high-are-they-and-how-can-you-avoid">our article on GDPR fines</a> for more information on this, but the regulation does make clear that fines must be "proportional", therefore you&apos;re unlikely to face the most severe penalty if it&apos;s a minor breach, or if you can demonstrate you are largely compliant with the legislation. The ICO itself has said it views fines as a "last resort".</p><div  class="fancy-box"><div class="fancy_box-title">RELATED WHITEPAPER</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="m9VHUatGsbGfULqHa2SrqC" name="File data services to support modern manufacturing.jpg" caption="" alt="File data services to support modern manufacturing" src="https://cdn.mos.cms.futurecdn.net/m9VHUatGsbGfULqHa2SrqC.jpg" mos="" link="" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div><figcaption itemprop="caption description" class=""><span class="credit" itemprop="copyrightHolder">(Image credit: Nasuni)</span></figcaption></figure><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business/digital-transformation/file-data-services-to-support-modern-manufacturing"><em>Manufacturers: Transform how you approach business</em></a></p></div></div><p>GDPR certainly has teeth, as the fines already handed out have been substantial. For example, in 2023, Meta was fined €1.2 billion for not managing data transfer from Europe to the USA. <a href="https://www.itpro.com/security/data-protection/meta-to-fight-unjustified-record-dollar13-billion-gdpr-fine">Meta is appealing the fine</a>.</p><p>The Luxembourg National Commission for Data Protection (CNDP) <a href="https://www.itpro.com/policy-legislation/general-data-protection-regulation-gdpr/360444/amazon-faces-ps637-million-fine">issued a €746 million ($888 million) fine</a> to Amazon.com Inc. This fine resulted from 10,000 complaints against Amazon in May 2018 through La Quadrature du Net, a French privacy rights group that promotes and defends fundamental freedoms in the digital world.</p><p>In 2023, the ICO <a href="https://www.itpro.com/policy-legislation/information-commissioner/369164/tiktok-could-be-hit-with-ps27m-fine-for-failing">fined TikTok</a> Information Technologies UK Limited and TikTok Inc. £12.7 million for mishandling children&apos;s data. The company used the personal data of children under 13 without their parent&apos;s consent.</p><p>In 2024, Amazon France Logistique was fined €32m for excessively monitoring their employees by the French Data Protection Authority (CNIL). The company runs Amazon&apos;s warehouses in France, where employees have devices that track their movements. The CNIL concluded that the data collected was often not needed and that the data was poorly managed, with employees not being informed about the video surveillance they were under.</p><h2 class="article-body__section" id="section-did-brexit-affect-gdpr"><span>Did Brexit affect GDPR?</span></h2><p>Because the UK government only triggered Article 50 in March 2017, which had set in motion the act of leaving the EU within a two-year timeframe, GDPR was actually implemented before the legal consequences of the Brexit vote. The UK was still required to comply, and subsequently enshrined the principles of GDPR into UK law.</p><ul><li><a href="https://www.itpro.com/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other">GDPR and Brexit: How will one affect the other?</a></li></ul><h2 class="article-body__section" id="section-what-is-the-best-approach-for-complying-with-gdpr"><span>What is the best approach for complying with GDPR?</span></h2><p>Ultimately, GDPR is about protecting the personal data your company collects, stores, manipulates, transfers, and sells from unlawful use. It aims to put the power back into the hands of the data owners, who must now give your business explicit permission to use their data.</p><p>Paying close attention to the main principles of GDPR, assessing how they impact your business, and then making changes to processes should ensure full compliance. </p><p>Appointing a <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/30733/do-you-need-to-employ-a-data-protection-officer">data protection officer</a> is usually an excellent first step and will give your company a single point of contact for GDPR compliance.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ What is the Information Commissioner’s Office (ICO)? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico</link>
                                                                            <description>
                            <![CDATA[ Who is the Information Commissioner, what powers do they have, and how is data and privacy protection evolving? ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5MEhmXyrpwhdgFtrbc5zsV</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/osuKW7QGv3vtRfjZhW4fNX-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 05 Sep 2019 15:00:00 +0000</pubDate>                                                                                                                                <updated>Sat, 07 Sep 2024 11:36:31 +0000</updated>
                                                                                                                                            <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ David Howell ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/QST9gbWQZLs5T4KfoM2StL.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/osuKW7QGv3vtRfjZhW4fNX-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A view of the front of the Information Commissioner&#039;s Office (ICO) in Wilmslow]]></media:description>                                                            <media:text><![CDATA[A view of the front of the Information Commissioner&#039;s Office (ICO) in Wilmslow]]></media:text>
                                <media:title type="plain"><![CDATA[A view of the front of the Information Commissioner&#039;s Office (ICO) in Wilmslow]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/osuKW7QGv3vtRfjZhW4fNX-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner&apos;s Office (ICO) is the UK&apos;s data protection watchdog charged with enforcing a host of laws that regulate communications, networking and data protection, although the organisation is most renowned for its role in enforcing the EU&apos;s <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know" target="_blank" data-original-url="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">General Data Protection Regulation (GDPR)</a>. The ICO is tasked with making sure that businesses within the UK are compliant with strict data protection principles.</p><p>The regulator has a number of roles and responsibilities, including investigating organisations that have suffered data breaches, imposing penalties where appropriate, and generally auditing companies for their data collection and storage practices. The ICO also regularly publishes reports on the state of data protection in the UK, emerging threats to the landscape and updates to how it operates.</p><p>A number of large organisations have felt the wrath of the ICO in recent years, with Uber, Equifax and Facebook are among the companies issued with maximum fines under the previous legislation. The prospect of massive fines under GDPR, however, have made businesses more alert to reporting incidents, with the watchdog revealing recently that <a href="https://www.itpro.com/information-commissioner/31912/companies-over-reporting-data-breaches-as-ico-takes-500-calls-per" target="_blank" data-original-url="https://www.itpro.com/information-commissioner/31912/companies-over-reporting-data-breaches-as-ico-takes-500-calls-per">companies were over-reporting data breaches</a>, seemingly out of fear of being as compliant with the legislation as possible.</p><h2 id="the-history-of-the-ico">The history of the ICO</h2><p>Founded in 1984 as the Data Protection Registrar, the first leader of the organization was Eric Howe. Howe created the first database – the register of data users after the introduction of the <a href="https://www.itpro.com/data-protection/28085/what-is-the-data-protection-act-1998">Data Protection Act 1998 (DPA)</a>. Howe&apos;s work raised public awareness around the importance of data protection and the ways businesses collect data about their customers and commercial partners.</p><p>Howe was instrumental in raising the profile of the Data Protection Registrar, leading the prosecution of several companies that were found to have inadequate systems to protect the personal data they were collecting. These prosecutions sent a message to all businesses that the registrar had the power to investigate and fine companies in breach of the DPA. Howe retired in 1994 after being awarded a CBE for his services.</p><p>In the 1990s, the registrar conducted an internal audit to define further its role in society and its relationship with businesses. This work also ensured that the registrar could adequately enforce the Data Protection Act, which came into force in 1998. In 2000, the Data Protection Register changed its name to the Information Commissioner&apos;s Office (ICO) to reflect the changes in the collection, storage, manipulation, exchange, and sale of data. The ICO also began to oversee the <a href="https://www.itpro.com/policy-legislation/30218/what-is-a-freedom-of-information-foi-request"><u>Freedom of Information Act</u></a>.</p><p>The ICO we know today has a head office in London, with additional offices in Scotland, Wales and Northern Ireland. With a staff of over 500, the ICO is led by the Commissioner, John Edwards, who took up his post on 3 January 2022. The management board of the ICO also includes several deputy commissioners and non-executive directors.</p><p>The ICO is primarily funded through the data protection fees paid by organizations, which account for over 85% of its annual expenditure. Government grants-in-aid supplement this funding to support the ICO&apos;s regulation of other laws. Under the Data Protection Act 2018, organizations processing personal data must pay a data protection fee unless exempt. Personal data includes information such as names, addresses, or telephone numbers. </p><p>From 1 April 2022 to 31 March 2023, the ICO collected approximately £66 million through the data protection fee, up from £62 million in the previous year. Additionally, the ICO&apos;s regulation of other legislation is funded by grant-in-aid, receiving £10,298,000 from April 2022 to March 2023, compared to £7,578,000 in 2021/22.</p><h2 id="who-is-the-information-commissioner">Who is the Information Commissioner?</h2><p>The Commissioner is the most senior official at the ICO. Appointed by the Crown, there have been six Commissioners:</p><div ><table><tbody><tr><td class="firstcol " >Eric Howe</td><td  >1984 - 1994</td><td  >The first Data Protection Registrar</td></tr><tr><td class="firstcol " >Elizabeth France</td><td  >1994 - 2002</td><td  >She continued as the Data Protection Commissioner when the titled changed</td></tr><tr><td class="firstcol " >Richard Thomas</td><td  >2002 - 2009</td><td  >The first to serve under the title of Information Commissioner</td></tr><tr><td class="firstcol " >Christopher Graham</td><td  >2009 - 2016</td><td  >Notable for introducing significant enforcement powers</td></tr><tr><td class="firstcol " >Elizabeth Denham</td><td  >2016 - 2021</td><td  >Played a vital role during the implementation of GDPR. Denham was also instrumental in the investigation into privacy rights that led to the fine of $260,000 (£200,000) against Aaron Banks and Vote. Leave over marketing breaches</td></tr><tr><td class="firstcol " >John Edwards</td><td  >2022 - present</td><td  >The current Information Commissioner, focusing on post-Brexit data protection challenges. Marketing campaigns have again been scrutinized, such as a sanction against HelloFresh, which failed to manage offer opt-outs correctly</td></tr></tbody></table></div><p>The Commissioner is also not a neutral party. Able to influence debate and even policy, the Commissioner oversees data privacy rights. </p><p>For example, with the rise of LFR (<a href="https://www.itpro.com/policy-legislation/33977/ico-neuters-uk-police-use-of-facial-recognition-technology"><u>live facial recognition</u></a>) technologies, the Commissioner openly stated that the technology poses "a potential threat to privacy." </p><p>In a blog post, then Commissioner, Elizabeth Denham, said: "We understand the purpose is to catch criminals. However, these trials also represent thousands of people&apos;s widespread processing of biometric data as they go about their daily lives. I believe that there needs to be demonstrable evidence that the technology is necessary, proportionate, and effective considering the invasiveness of LFR."</p><h2 id="what-are-the-responsibilities-of-the-ico">What are the responsibilities of the ICO?</h2><p>The key responsibility of the ICO is to enforce the <a href="https://www.itpro.com/data-protection/34061/what-is-the-data-protection-act-2018">Data Protection Act 2018</a> and, by extension, <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR</a>. However, the ICO is also the enforcement organization for several other pieces of legislation, including:</p><ul><li>Privacy and Electronic Communications (EC Directive) Regulations 2003</li><li>The Freedom of Information Act 2000</li><li>Environmental Protection Public Sector Information Regulations 2004</li><li>Investigatory Powers Act 2016</li><li>Enterprise Act 2002</li><li>The eIDAS (Electronic Identification and Trust Services) Regulation 2014</li><li>Re-use of Public Sector Information Regulations 2015</li><li>The Network and Information Systems Regulation 2018</li></ul><p>All of these regulations have the collection and management of data at their core. The ICO, in effect, policies these Acts and regulations to safeguard personal privacy in an environment where data has become highly valuable. The lesser-known eIDAS is important to oversee, as this regulation governs the use of <a href="https://www.itpro.com/security/361576/what-are-cookies"><u>cookies</u></a> and how digital services are secured.</p><h2 id="what-powers-does-the-ico-have">What powers does the ICO have?</h2><p>When GDPR came into force, many news headlines covered the substantial fines businesses could face for any breach of the regulations. </p><p><em><strong>The maximum statutory fine is $23 million (£17.5 million) or 4% of the business&apos;s annual turnover – whichever is the higher.</strong></em></p><p>In 2023 alone, <a href="https://www.itpro.com/security/data-protection/ico-fines-topped-dollar14-million-in-2023-amid-crackdown-by-regulator-on-data-protection-standards"><u>ICO fines topped $18 million (£14 million</u></a>), with the largest fine being handed to <a href="https://www.itpro.com/policy-legislation/information-commissioner/369164/tiktok-could-be-hit-with-ps27m-fine-for-failing"><u>TikTok for breaching the personal data privacy</u></a> of children using their platform. The reality is that the ICO will consider many factors before deciding on the level of fine for the breach or infringement.</p><p>The ICO states: "Fines aren&apos;t suitable for every breach. Our fines and penalties may grab the headlines, but we know that our work with organizations, helping you to make changes and improvements to comply with the law, is the most effective way of reducing mistakes and misuse of people&apos;s data. We&apos;re here to help you get data protection right, through our events and our support and advice services. If things go wrong, we want to work with you to decide what improvements we expect from you and provide advice to help you get it right in the future."</p><p>Recently, the ICO has been consulting on its Data Protection Financing Guidance, which closed in November 2023. The <a href="https://ico.org.uk/about-the-ico/consultation-on-draft-data-protection-fining-guidance-summary-of-responses/" target="_blank"><u>results of this consultation</u></a> and the responses from the ICO should be read by all data controllers to understand the five-point process the ICO will use to decide on the appropriate level of fine.</p><p>The ICO&apos;s powers are far-reaching. The Commissioner can comment on legislation and technologies in development that could impact data privacy. The ICO often makes spot checks to assess how businesses are managing their data protection responsibilities, such as whether <a href="https://www.itpro.com/data-protection/34416/how-to-perform-a-data-protection-impact-assessment-dpia-under-gdpr">DPIAs (Data Protection Impact Assessments)</a> are being carried out regularly.</p><p>As a data privacy watchdog, the ICO can prosecute or levy fines. However, the ICO has always striven to avoid being too adversarial. Indeed, it has developed many resources to <a href="https://ico.org.uk/for-organisations/advice-for-small-organisations/" target="_blank"><u>help businesses more easily comply</u></a> with data protection regulations.</p><h2 id="how-the-ico-plans-to-adapt-to-new-technology">How the ICO plans to adapt to new technology</h2><p>The ICO must adapt to rapidly evolving technological and regulatory landscapes to meet future data privacy needs. This includes the rise of <a href="https://www.itpro.com/strategy/28181/what-is-ai"><u>artificial intelligence</u></a> (AI), <a href="https://www.itpro.com/strategy/28071/what-is-machine-learning"><u>machine learning</u></a>, and the <a href="https://www.itpro.com/cloud-computing/28037/what-is-iot"><u>Internet of Things</u></a> (IoT). This will require developing advanced technical expertise to evaluate and regulate these technologies, ensuring they are used responsibly and ethically.</p><p>With data flows crossing borders, aligning with global data protection standards and fostering cooperation with international regulators will be crucial. This can help address the challenges posed by global data breaches and multinational corporations&apos; data practices. Empowering individuals with knowledge about their <a href="https://www.itpro.com/information-commissioner/31565/people-are-more-aware-of-their-data-rights-than-ever-before-says-ico"><u>data rights</u></a> and how to protect their personal information is essential. The ICO can enhance its outreach programs and leverage digital platforms to engage with the public more effectively.</p><p>As the value of personal data increases, the large data aggregators will continue to come under the spotlight of the ICO. <a href="https://www.itpro.com/security/data-protection/meta-delays-plans-to-train-ai-using-european-user-data"><u>Meta&apos;s plans to train AI&apos;s on the personal data</u></a> they hold of billions of users was tempered by the ICO, with Stephen Almond, executive director of Regulatory Risk at the ICO, stating in June 2024: </p><p>"We are pleased that Meta has reflected on the concerns we shared from users of their service in the UK and responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI. In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset. We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of UK users are protected."</p><h3 class="article-body__section" id="section-john-edwards-on-ai-and-emerging-technology"><span>John Edwards on AI and emerging technology</span></h3><p>The ICO will oversee emerging technologies that are built on large datasets. Indeed, a speech given by Commissioner John Edwards began by focusing on the phenomenal expansion of <a href="https://www.itpro.com/technology/artificial-intelligence/generative-ai-training-in-the-crosshairs-as-ico-set-to-examine-legality-of-personal-data-use"><u>ChatGPT</u></a>.</p><p>Edwards stated: "People were simultaneously amused by the novelty of it and unnerved by its power. Questions started being asked about where ChatGPT was getting its information from and the pros and cons of using personal data to train the model. Our colleagues in Italy, the Garante, banned ChatGPT due to concerns over how it used people&apos;s personal information.</p><p>"AI and emerging tech can be a massive force for good. The strides forward we&apos;ve made in terms of healthcare, productivity, and transportation have been massive.</p><p>However, organizations that use these technologies must be transparent with their users about how their information will be processed. It&apos;s the only way we continue to reap the benefits of AI and emerging technologies. I <a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/12/john-edwards-speaks-at-techuk-digital-ethics-summit-2023/" target="_blank"><u>said at the end of last year</u></a> that 2024 cannot be the year that people lose trust in AI. I stand by that statement today.”</p><p>Edwards concluded: "Ever since the ICO&apos;s inception in 1984, data protection law has been the principal form of regulation for new technologies. The same principles apply now as they always have – you need to look after people&apos;s information, be transparent about how you&apos;re using it and ensure its accurate."</p><h3 class="article-body__section" id="section-enterprise-data-strategy-ico25"><span>Enterprise Data Strategy (ICO25)</span></h3><p>As the future of data privacy evolves, so too has the ICO. In 2022, the organization launched its <a href="https://ico.org.uk/about-the-ico/our-information/our-strategies-and-plans/ico-enterprise-data-strategy/"><u>Enterprise Data Strategy</u></a> (ICO25) to ensure it would be ready as a regulator to manage the fast pace of technological change taking place as you read this.</p><p>The Commissioner states: "As a regulator, we&apos;re shifting our guidance away from &apos;don&apos;t do&apos; to &apos;how to&apos;. In a similar way, our data strategy is setting an ambitious vision to &apos;show, not tell&apos;. We aspire to be an exemplar for responsible innovation in the use of data – one that can inspire and guide others through our own transformation."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[  Bounty fined by ICO for unlawfully sharing member data ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/33450/bounty-fined-by-ico-for-unlawfully-sharing-member-data</link>
                                                                            <description>
                            <![CDATA[ The company shared the data of 14 million people without gaining full permission to do so ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wB4GTZ3bYSUfAXfMaPyM2p</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/EMo9cH6dnqGJUtdew9chqP-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Mon, 15 Apr 2019 08:18:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Clare Hopping ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/EMo9cH6dnqGJUtdew9chqP-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/EMo9cH6dnqGJUtdew9chqP-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Pregnancy and parenting club Bounty has been fined 400,000 for misusing customer data and sharing it with third parties without consent.</p><p>The company, which encourages new parents to sign up to exclusive offers shortly after giving birth apparently unlawfully shared the details of 14 million people.</p><p>According to the Information Commissioner's Office (ICO), Bounty collected member data using sign-up forms on its website, in-person as it circulated around UK maternity departments, and in merchandise pack claim cards.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/637606/ico-issues-more-council-fines" data-original-url="/637606/ico-issues-more-council-fines">ICO issues more council fines</a> General Data Protection Regulation (GDPR)</p></div></div><p>However, the company also acted as a data broking service up until GDPR was introduced and shared the data supplied to it with other third parties. This is where the company failed to comply with the law and, as a result, has been fined for breaching the Data Protection Act 1998.</p><p>It was found to have shared information with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky without telling many of its users it planned to do so.</p><p>"The number of personal records and people affected in this case is unprecedented in the history of the ICO's investigations into data broking industry and organisations linked to this," said Steve Eckersley, ICO's Director of Investigations.</p><p>"Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty's actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time."</p><p>He added that sharing the data in such a way - and because of the nature of its business - Bounty has likely caused distress to many of its members. The data was revealed to include personal information, including details of their pregnancy status and children.</p><p>Bounty acknowledges the ICO's findings and said it didn't take a broad enough view of its responsibilities previously, according to Jim Kelleher, the company's managing director who posted a statement on its website.</p><p>"This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted," he said. </p><p>"As the ICO has highlighted, we made significant changes to our processes in Spring 2018, reducing the number of personal records we retain and for how long we keep them, ending relationships with the small number of data brokerage companies with whom we previously worked and implementing robust GDPR training for our staff."</p><p>The company has now launched the Bounty Promise, which explains how the firm will respect the data it holds, only collect what's necessary, won't share data and that an independent data expert will check on its practices every year.</p><p>"Before Spring 2018, our data handling processes did not meet the standards that could be expected of us. We made a mistake for which we are sorry. As well as improving our processes in Spring 2018, we have now launched the Bounty Promise," the company <a href="https://twitter.com/BountyUK/status/1116645681299640320">said on Twitter</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO unveils new tech strategy to tackle digital hurdles ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/information-commissioner/31689/ico-unveils-new-tech-strategy-to-tackle-digital-hurdles</link>
                                                                            <description>
                            <![CDATA[ The three-year plan sees the appointment of a new executive director for technology policy and innovation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">af45sAtGVh26e7HTKSMpri</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/XCRn8joXXfYZACjyvtoZWj-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 14 Aug 2018 11:36:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/XCRn8joXXfYZACjyvtoZWj-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A blue digital map of the world with abstract decorative elements]]></media:description>                                                            <media:text><![CDATA[A blue digital map of the world with abstract decorative elements]]></media:text>
                                <media:title type="plain"><![CDATA[A blue digital map of the world with abstract decorative elements]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/XCRn8joXXfYZACjyvtoZWj-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) has published its first strategy paper outlining how it will adapt its regulatory approach in light of new challenges presented by rapidly changing technology.</p><p>Among the key goals outlined in the paper, drafted to enhance the regulator's overall technical expertise and understanding, the ICO will educate staff on technological issues, and ensure businesses and the wider public are kept informed on new data protection risks.</p><p>The ICO also established, in its plans, three priority areas for 2018/19, including cyber security, AI, and web and cross device tracking. The data regulator will develop an action plan for each area which it plans to review and update annually.</p><p><a href="https://ico.org.uk/media/about-the-ico/documents/2258299/ico-technology-strategy-2018-2021.pdf" target="_blank">The new three-year strategy</a> is part of the ICO's wider efforts to strengthen its commitment to technology and innovation, which includes the appointment of Simon McDougall as the first executive director for technology policy and innovation.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/information-commissioner/31565/people-are-more-aware-of-their-data-rights-than-ever-before-says-ico" data-original-url="/information-commissioner/31565/people-are-more-aware-of-their-data-rights-than-ever-before-says-ico">People are more aware of their data rights than ever before, says ICO</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/31483/facebook-fined-500000-by-the-ico-following-cambridge-analytica-data-scandal" data-original-url="/policy-legislation/31483/facebook-fined-500000-by-the-ico-following-cambridge-analytica-data-scandal">Facebook fined £500,000 by the ICO following Cambridge Analytica data scandal</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/29897/ico-only-20-of-uk-citizens-trust-companies-with-their-data" data-original-url="/security/29897/ico-only-20-of-uk-citizens-trust-companies-with-their-data">ICO: Only 20% of UK citizens trust companies with their data</a></p></div></div><p>McDougall, the former managing director of IBM-owned consultancy firm Promontory, is a "well-known international figure in the world of information rights," according to the ICO, and has also served on the board of a number of international bodies committed to upholding citizens' data and information rights.</p><p>"I am honoured to have the opportunity to join the ICO and lead their work in this critical area," McDougall said. "Technological change continues to accelerate, and it is vital that the ICO remains constructively and robustly engaged as organisations innovate in the use of personal data."</p><p>Also among the ICO's plans is the launch of a 'regulatory sandbox' in which organisations can develop innovative tools and services with assistance and guidance from the ICO. The regulator plans to consult on the implementation of this scheme later in 2018.</p><p>"Technology is driving changes to the societal, political, legal and business environment that the Information Commissioner's Office (ICO) needs to regulate," Information Commissioner Elizabeth Denham wrote in the foreword of the new strategy.</p><p>"The most significant data protection risks to individuals are now driven by the use of new technologies. The risks are broad - from cyber-attacks to the growth of artificial intelligence and machine learning."</p><p>"The GDPR contains new provisions to better regulate the risks arising from technology, including data protection by design and data protection impact assessments.</p><p>"These advances need not come at the expense of data protection and privacy rights - the ICO's approach to technology will be underpinned by the concept that privacy and innovation are not mutually exclusive."</p><p>The ICO has faced numerous challenges in the last few months in light of a massive data misuse scandal involving Facebook and the now-defunct Cambridge Analytica, which perhaps gave the regulator a taste of the issues it could expect to face in an increasingly-digitised landscape.</p><p>Its investigations into the misuse of personal data in political campaigns, which spans a vast number of organisations, led to <a href="https://www.itpro.com/policy-legislation/31483/facebook-fined-500000-by-the-ico-following-cambridge-analytica-data-scandal" target="_blank" data-original-url="https://www.itpro.com/policy-legislation/31483/facebook-fined-500000-by-the-ico-following-cambridge-analytica-data-scandal">Facebook last month being fined 500,000</a> - the maximum under the Data Protection Act 1998. The full results of the ICO's investigation are expected to be published by the end of the year.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Nottingham County Council fined £70,000 for data leak ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/public-sector/29379/nottingham-county-council-fined-70000-for-data-leak</link>
                                                                            <description>
                            <![CDATA[ The data of 3,000 vulnerable people was accessible through Google ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5KTpmcudMKFhTeeuACXNUy</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/R6QraVRxtZD28vnE3pNARK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 04 Sep 2017 07:46:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Clare Hopping ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/R6QraVRxtZD28vnE3pNARK-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Series of locks on binary code with one unlocked]]></media:description>                                                            <media:text><![CDATA[Series of locks on binary code with one unlocked]]></media:text>
                                <media:title type="plain"><![CDATA[Series of locks on binary code with one unlocked]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/R6QraVRxtZD28vnE3pNARK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The ICO has hit Nottingham County Council with a 70,000 fine for failing to safeguard its citizens' data, which led to anyone being able to view the information online.</p><p>The problem was exposed when a member of the public was able to read the data online stored in the council's Home Care Allocation System (HCAS) following a Google search. Nottingham County Council didn't implement any kind of security to stop people being able to access files, such as a login.</p><p>The data, which is thought to have been accessible for over five years, held details on whether disabled and elderly people were in hospital and included the gender, addresses, postcodes and care requirements of the individuals. The concern was that criminals could access the data and use the information to break into peoples' homes while they were away.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/29205/ico-fines-talktalk-100k-for-data-breach" data-original-url="/security/29205/ico-fines-talktalk-100k-for-data-breach">ICO fines TalkTalk £100k for data breach</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/29092/ico-fines-moneysupermarket-80k-for-spamming-customers" data-original-url="/data-protection/29092/ico-fines-moneysupermarket-80k-for-spamming-customers">ICO fines MoneySuperMarket £80k for spamming customers</a></p></div></div><p>"This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people's personal information, despite having the financial and staffing resources available," ICO Head of Enforcement Steve Eckersley said.</p><p>"Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances."</p><p>The breach was first reported in June 2016, when it contained a directory of 81 service users and the data of more than 3,000 people. Not included in the data was the patients' names, although the ICO said it would be easy enough for people to find this information out from other sources if they wanted to.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO fines TalkTalk £100k for data breach ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/29205/ico-fines-talktalk-100k-for-data-breach</link>
                                                                            <description>
                            <![CDATA[ Data watchdog found that the company failed to use adequate safeguards ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wB5kW9n8odGkUUjEoiozer</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/DzgoXDC9i4xPqvC83DWgd9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 11 Aug 2017 07:44:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Clare Hopping ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/DzgoXDC9i4xPqvC83DWgd9-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[TalkTalk]]></media:description>                                                            <media:text><![CDATA[TalkTalk]]></media:text>
                                <media:title type="plain"><![CDATA[TalkTalk]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/DzgoXDC9i4xPqvC83DWgd9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The ICO has fined TalkTalk 100,000 for failing to protect consumer data from hackers in 2014, when personal details of 21,000 customers were leaked into the public domain.</p><p>The regulator said TalkTalk had breached the Data Protection Act because it didn't safeguard the huge amounts of data it held about its customers from staff. Employees were able to imporperly access the information, which was used by fraudsters to make scam calls to customers, using their names, addresses, phone numbers and account numbers.</p><p>The investigation revealed it was actually employees of Wipro, a third party company working with TalkTalk to resolve complaints about network coverage, that were able to access and swipe the data. The ICO found three Wipro accounts that had siphoned off the data, although 40 employees in total had access to the information.</p><p>"TalkTalk may consider themselves to be the victims here," Information Commissioner Elizabeth Denham said. "But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people. TalkTalk should have known better and they should have put their customers first."</p><p>The ICO said TalkTalk's actions breached the seventh principle of the Data Protection Act because it didn't have the appropriate technical or operational safeguards in place to prevent employees from accessing the confidential information. This is despite the company being aware of regulations surrounding data protection and having ample time to fix the flaws.</p><p>"This incident highlights why it is essential for companies to understand exactly how users are interacting with the network and data," Nir Polak, CEO at Exabeam. "Had TalkTalk had a means to monitor the activities of employees and third parties, its incident response team could have spotted the inappropriate access to customer data."</p><p>Measures TalkTalk could have taken to prevent employees accessing the data include ensuring the portal where the customer details were stored could only be accessed from authorised devices and preventing anyone from accessing or exporting the information via the portal.</p><p>"Big companies have been able to get away with lax security for years," said Jan van Vliet, Digital Guardian's vice president and general manager for EMEA. "Thankfully, with the GDPR now on the horizon, the days for such complacency really are numbered. These businesses can expect to swap a 100,000 fine for data protection breaches for one in the millions."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/24136/talktalk-hack-two-men-plead-guilty-to-talktalk-hack" data-original-url="/security/24136/talktalk-hack-two-men-plead-guilty-to-talktalk-hack">TalkTalk hack: Two men plead guilty to TalkTalk hack</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes" data-original-url="/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes">GDPR preparation: 2018 data protection changes</a> General Data Protection Regulation (GDPR)</p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO fines MoneySuperMarket £80k for spamming customers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/29092/ico-fines-moneysupermarket-80k-for-spamming-customers</link>
                                                                            <description>
                            <![CDATA[ Price comparison site sends 7.1 million emails to customers who'd opted out ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5R5d6SUfrkkUQSq9V1YyzU</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/cavviBLAGXjB3Ed5CzkYoT-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 21 Jul 2017 10:56:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/cavviBLAGXjB3Ed5CzkYoT-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Money]]></media:description>                                                            <media:text><![CDATA[Money]]></media:text>
                                <media:title type="plain"><![CDATA[Money]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/cavviBLAGXjB3Ed5CzkYoT-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>MoneySuperMarket has been slapped with an 80,000 fine for sending out millions of emails to customers who had previously opted out from being contacted.</p><p>The price comparison site was found to have sent 7.1 million emails to customers over the course of just 10 days, outlining changes to their terms of service, despite the fact that those customers had chosen not to receive email communication.</p><p>MoneySuperMarket sent the emails between 30 November and 10 December 2016, of which almost 6.8 million were successfully received by customers. Although it appeared to be in the guise of a terms of service change, UK data watchdog the Information Commissioner's Office (ICO) believed this was a misguided attempt to try and persuade users to sign up for marketing emails.</p><p>Part of the email included a section labelled "Preference Centre Update", which stated: "We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our emails."</p><p>The ICO chastised the company for its actions, with head of enforcement Steve Eckersley describing the emails as "unacceptable" and a "circumvention of the rules".</p><p>"Organisations can't get around the law by sending direct marketing dressed up as legitimate updates," said Eckersley. "When people opt out of direct marketing, organisations must stop sending it, no questions asked, until such time as the consumer gives their consent. They don't get a chance to persuade people to change their minds."</p><p>"We will continue to take action against companies that choose to ignore the rules," he added.</p><p>A MoneySuperMarket spokesperson told <em>IT Pro</em>: "At MoneySuperMarket, we take the protection of our customers' data and privacy very seriously. We apologise unreservedly to the customers affected by this isolated incident and we have put measures in place to ensure it doesn't happen again."</p><p>The ICO also fined supermarket chain Morrisons <a href="https://www.itpro.com/data-protection/28868/watchdog-fines-morrisons-for-spamming-opt-out-customers" target="_blank" data-original-url="https://www.itpro.com/data-protection/28868/watchdog-fines-morrisons-for-spamming-opt-out-customers">10,500</a> in June after the company sent 130,671 emails to customers holding a store card who had previously opted out of communication. The ICO said at the time that Morrisons had "ignored their decision", even though customers had explicitly told the company they did not want marketing emails.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/28868/watchdog-fines-morrisons-for-spamming-opt-out-customers" data-original-url="/data-protection/28868/watchdog-fines-morrisons-for-spamming-opt-out-customers">Watchdog fines Morrisons for spamming opt-out customers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/28265/ico-investigates-datas-role-in-political-campaigns" data-original-url="/data-protection/28265/ico-investigates-datas-role-in-political-campaigns">ICO investigates data's role in political campaigns</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Review agrees that DeepMind-NHS deal "lacked clarity" ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/28982/review-agrees-that-deepmind-nhs-deal-lacked-clarity</link>
                                                                            <description>
                            <![CDATA[ However independent panel finds that the NHS is ultimately responsible for any legal breach ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">2iqWkipBiQ46Zead289mXC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ZUGjohrbCRbrMZDSVxbdSD-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 05 Jul 2017 10:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ZUGjohrbCRbrMZDSVxbdSD-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Stethoscope on a keyboard]]></media:description>                                                            <media:text><![CDATA[Stethoscope on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[Stethoscope on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ZUGjohrbCRbrMZDSVxbdSD-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>An independent review panel has agreed there was a "lack of clarity" in the initial data-sharing DeepMind agreement with the Royal Free Hospital that saw 1.6 million people's data shared without their consent.</p><p>However, the panel said there was no evidence to suggest a breach of contractual obligations or data sharing agreements, unlike the UK data watchdog's Information Commissioner's Office (ICO), which deemed that the original deal was illegal.</p><p>The <a href="https://deepmind.com/applied/deepmind-health/transparency-independent-reviewers/independent-reviewers" target="_blank">independent report</a>, commissioned by DeepMind Health (DMH) following the ICO's own investigation that was published yesterday, expressed concerns that the specific scope of the original information sharing agreement with the Royal Free was not fully explained. However, it recognised that DMH has since taken steps to correct this.</p><p>An investigation by the ICO revealed several shortcomings in how the data was handled, particularly that patients were not adequately informed of how the data would be used. As a result, the authority believes the initial agreement broke data protection laws.</p><p>The panel, which was made up of a collection of industry leaders and academics, concluded that DMH acted only as a data processor, and that "any issues about data protection obligations or confidentiality obligations arising from the use of patient data during testing are in law, matters for the Royal Free as data controller, and we will not comment further on them".</p><p>While the report does not contradict the findings of the ICO, it said the specific shortcomings relating to the informing of patients lay squarely with the Royal Free, and that there was "no evidence that DMH had violated the data sharing agreement or any other contractual arrangements".</p><p>Under current laws, only the data controller is liable for breaches of regulations, however this will change with the new <a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know" target="_blank" data-original-url="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">GDPR regulations</a> set to come into force next year, as both the processor and controller will be jointly liable.</p><p>DMH has said it welcomes both the ICO investigation and the independent review, and acknowledges "we should have done more to engage with patients much earlier".</p><p>A number of other smaller criticisms were mentioned in the report, such as a handful of minor vulnerabilities in DMH's network and the logistics about "parachuting in" the Streams app, which relied on the huge volume of data to learn how to detect and diagnose acute kidney injury, but DeepMind said these have already been addressed.</p><p>DeepMind was also criticised for a lack of public engagement during the tests, as it failed to adequately refute claims spread in the media that patient data would be shared with its then-parent company, Google. If true, this would have breached contractual obligations, but there is "no evidence that DMH had any intention of doing this", according to the report.</p><p>The nine-person panel included Mike Bracken, CDO of the Co-operative Group and former CDO for the UK government, Eileen Burbidge, partner at investment firm Passion Capital, and Professor Donal O'Donoghue, medical director for Greater Manchester Academic Health Science Network.</p><p><strong>03/07/2017:ICO: DeepMind-NHS deal broke data laws</strong></p><p>The Royal Free NHS Foundation Trust failed to comply with data protection law when it provided patients' details to Google AI firm DeepMind, according to the Information Commissioner's Office (ICO).</p><p>As part of a trial to test an alert, diagnosis and detection system for acute kidney injury, <a href="https://www.itpro.com/security/26465/googles-deepmind-can-read-16-million-nhs-patients-records" target="_blank" data-original-url="https://www.itpro.com/security/26465/googles-deepmind-can-read-16-million-nhs-patients-records">the trust provided personal data of around 1.6 million patients to DeepMind</a> back in September 2015, revealed seven months later by the <em>New Scientist</em>.</p><p>However, an investigation by the ICO discovered several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test.</p><p>DeepMind had a deal with the Royal Free where the former would process partial patient records containing personally identifiable information (PII) held by the trust.</p><p>The PII in question included data on people who had presented for treatment in the previous five years for tests together with data from the trust's existing radiology electronic patient record system. Under the terms of the agreement, DeepMind would process approximately 1.6 million such partial records for clinical safety testing.</p><p>But Information Commissioner Elizabeth Denham determined that these records were processed for the purpose of clinical safety testing without patients being informed of this processing.</p><p>"The Commissioner was not satisfied that the Royal Free had properly evidenced a condition for processing that would otherwise remove the need to obtain the informed consent of the patients involved and our concerns in this regard remain," the ICO said in a <a href="https://ico.org.uk/media/action-weve-taken/undertakings/2014353/royal-free-undertaking-cover-letter-03072017.pdf" target="_blank">letter</a> to the trust.</p><p>It added that the mechanisms to inform those patients that their data would be used in the clinical safety testing of the Streams application were inadequate.</p><p>"In short, the evidence presented to date leads the Commissioner to conclude that data subjects were not adequately informed that the processing was taking place and that as result, the processing was neither fair nor transparent," said the ICO.</p><p>"Patients would not have reasonably expected their information to have been used in this way, and the trust could and should have been far more transparent with patients as to what was happening," Denham said in a statement.</p><p>"We've asked the trust to commit to making changes that will address those shortcomings, and their co-operation is welcome. The Data Protection Act is not a barrier to innovation, but it does need to be considered wherever people's data is being used."</p><p>The ICO won't fine the NHS trust or DeepMind. Instead, the trust has been asked to establish a proper legal basis under the Data Protection Act for the DeepMind project - which was and for any future trials, and to set out how it will comply with its duty of confidence to patients in any future trial involving personal data.</p><p>Plus, it mustcomplete a privacy impact assessment, including specific steps to ensure transparency, and commission an audit of the trial, the results of which will be shared with the Information Commissioner, and which the Commissioner will have the right to publish as she sees appropriate.</p><p>"We welcome the ICO's thoughtful resolution of this case, which we hope will guarantee the ongoing safe and legal handling of patient data for Streams," <a href="https://deepmind.com/blog/ico-royal-free" target="_blank">said</a> DeepMind co-founder Mustafa Suleyman, and DeepMind Health clinical lead, Dominic King.</p><p>"In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health," they added.</p><p>"We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better."</p><p>The pair said DeepMind has published all NHS contracts since its "mistake" in failing to publicise the Streams contract, which it also replaced with <a href="https://deepmind.com/applied/deepmind-health/transparency-independent-reviewers" target="_blank">"a far more comprehensive contract"</a> in November 2016.</p><p>DeepMind said it's also since developed a patient and public engagement strategy, and is currently awaiting the published findings of nine "independent reviewers" it tasked with scrutinising DeepMind Health.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/26465/googles-deepmind-can-read-16-million-nhs-patients-records" data-original-url="/security/26465/googles-deepmind-can-read-16-million-nhs-patients-records">Google's DeepMind can read 1.6 million NHS patients' records</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/public-sector/nhs/28661/data-guardian-criticises-deepmind-data-sharing-with-nhs" data-original-url="/public-sector/nhs/28661/data-guardian-criticises-deepmind-data-sharing-with-nhs">Data guardian criticises DeepMind data sharing with NHS</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/public-sector/27833/deepmind-announces-second-nhs-partnership" data-original-url="/public-sector/27833/deepmind-announces-second-nhs-partnership">DeepMind announces second NHS partnership</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/public-sector/nhs/28661/data-guardian-criticises-deepmind-data-sharing-with-nhs" data-original-url="/public-sector/nhs/28661/data-guardian-criticises-deepmind-data-sharing-with-nhs">Data guardian criticises DeepMind data sharing with NHS</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/public-sector/27833/deepmind-announces-second-nhs-partnership" data-original-url="/public-sector/27833/deepmind-announces-second-nhs-partnership">DeepMind announces second NHS partnership</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/27623/deepminds-co-founder-says-access-to-nhs-data-is-essential" data-original-url="/mobile/27623/deepminds-co-founder-says-access-to-nhs-data-is-essential">DeepMind's co-founder says access to NHS data is essential</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Gloucester City Council fined £100,000 over Heartbleed hack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/28844/gloucester-city-council-fined-100000-over-heartbleed-hack</link>
                                                                            <description>
                            <![CDATA[ ICO issues penalty after authority leaks 30,000 employee emails ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">842ST2vtCfKoCxCJTxwgzR</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 14 Jun 2017 10:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:description>                                                            <media:text><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:text>
                                <media:title type="plain"><![CDATA[Bright blue code appearing on screen to denote hacking]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/KAE3tGXMEcRfgDxLP9qFH4-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Gloucester City Council has been hit with a 100,000 fine after a hacker downloaded 30,000 emails containing employees' personal information.</p><p>In July 2014, a hacker "took advantage of a weakness in the council's website" to gain direct access to the council's mailboxes, which stored information on employee finances as well as internal communications.</p><p>The attack exploited the highly publicised '<a href="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know" target="_blank" data-original-url="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know">Heartbleed</a>' flaw, a vulnerability within the OpenSSL software library that allowed hackers to eavesdrop on web users, as well as steal usernames, passwords, documents, and in this case, emails.</p><p>Despite the bug becoming widely-publicised in the media, as well as in warnings issued by UK data watchdog the Information Commissioner's Office (ICO), the council knowingly failed to fix the vulnerabilities, according to the regulator.</p><p>Sally Anne Poole, group enforcement manager at the ICO, described the incident as a "serious oversight", adding that the council's security systems were not robust enough to protect the data they held.</p><p>"The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack," she said.</p><p>"Business and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty," added Poole.</p><p>Jon McGinty, managing director at the council, said in a statement to <em>IT Pro</em> that the penalty would have a "serious and detrimental" impact on the authority's finances, and is considering appealing the decision.</p><p>"The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch," said McGinty.</p><p>"The council did account for the risk of this potential fine in its accounts for 2016-17, but nevertheless, its payment will only result in money being taken away from the people of Gloucester and given to the Treasury," added McGinty.</p><p>Paul Farrington, manager at application security company Veracode, said that the council could have done more to protect its data.</p><p>"The latest fine imposed by the ICO is an unfortunate outcome for this public body. Vendors like Veracode in 2014 were offering free scans, with no strings attached. The council officials could have protected the 30,000 leaked email records without incurring any additional cost burden."</p><p>The flaw, which was first discovered in 2014, was famously <a href="https://www.itpro.com/security/22074/mumsnet-reveals-how-it-fell-victim-to-heartbleed" target="_blank" data-original-url="https://www.itpro.com/security/22074/mumsnet-reveals-how-it-fell-victim-to-heartbleed">used against advice forum Mumsnet</a>, which saw hackers post messages purportedly from CEO Justine Roberts that derided users and claimed the site was up for sale.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know" data-original-url="/security/22101/heartbleed-bug-everything-you-need-to-know">Heartbleed bug: Everything you need to know</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/24958/ico-will-look-into-edinburgh-city-council-data-breach" data-original-url="/hacking/24958/ico-will-look-into-edinburgh-city-council-data-breach">ICO will look into Edinburgh City Council data breach</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Basildon Council lands £150,000 fine by ICO after revealing family’s personal details ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-leakage/28761/basildon-council-lands-150000-fine-by-ico-after-revealing-family-s-personal</link>
                                                                            <description>
                            <![CDATA[ Authority exposed personal data including mental health issues ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">8oiFccKW8h9fFTmfkHVkYi</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/dGmeaeSmteXkUttz7XKtAm-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 01 Jun 2017 12:10:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/dGmeaeSmteXkUttz7XKtAm-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Protection word on keyboard]]></media:description>                                                            <media:text><![CDATA[Protection word on keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[Protection word on keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/dGmeaeSmteXkUttz7XKtAm-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) has fined Basildon Council 150,000 for publishing online the personal data of a traveller family.</p><p>The authority breached the Data Protection Act by making publically available data on the family in a planning application.</p><p>The ICO discovered that the council received a written statement in support of a householder's planning application for proposed works in a green belt. The statement contained sensitive personal data relating to a static traveller family who had been living on the site for many years.</p><p>It referred to the family's disability requirements, including mental health issues, the names of all the family members, their ages and the location of their home. The council published the statement in full, without redacting the personal data, on its online planning portal later that day.</p><p>An investigation by the ICO found that the council failed to carry out data protection procedures and training. It was revealed that an inexperienced council officer didn't notice the personal information in the statement, and there was no procedure in place for a second person to check it before the personal data was inadvertently published online. The information was only removed on 4 September 2015 when the concerns came to light. </p><p>While the council had routinely redacted personal data from planning documents a practice also adopted by other local authorities Basildon subsequently argued it was not, in fact, allowed to do so under planning law. This was rejected by the ICO, which said planning regulations could not override people's fundamental privacy and data protection rights. It added that publication of planning documents online was a choice, not a legal requirement.</p><p>"This was a serious incident in which highly sensitive personal data, including medical information, was made publicly available," said ICO enforcement manager Sally Anne Poole. </p><p>"Planning applications in themselves can be controversial and emotive, so to include such sensitive information and leave it out there for all to see for several weeks is simply unacceptable."</p><p>"Data protection law is clear and planning regulations don't remove an individual's rights. Local authorities and, indeed, all organisations must be certain that their internal processes and procedures are robust and secure enough to ensure that people's sensitive personal information is protected," she added.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/628882/ico-fines-a-timeline" data-original-url="/628882/ico-fines-a-timeline">ICO fines: A timeline</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO calls for GDPR transparency and accountability ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/28715/ico-calls-for-gdpr-transparency-and-accountability</link>
                                                                            <description>
                            <![CDATA[ Put individuals at the heart of data protection, urges data watchdog ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qK4LcVVD8BaQwWbPkB86U7</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/KL2oPy4NBzbuEcrDPobWo3-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 25 May 2017 15:05:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[GDPR]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                    <category><![CDATA[Data Protection]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/KL2oPy4NBzbuEcrDPobWo3-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/KL2oPy4NBzbuEcrDPobWo3-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>An impending overhaul of data protection law will present "opportunities and challenges" for companies as they prepare for the changes, which <a href="https://www.itpro.com/data-protection/28029/latest-gdpr-news-uk" target="_blank" data-original-url="https://www.itpro.com/data-protection/28029/latest-gdpr-news-uk">are one year away today</a>.</p><p><a href="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know" target="_blank" data-original-url="https://www.itpro.com/it-legislation/27814/what-is-gdpr-everything-you-need-to-know">The General Data Protection Regulation (GDPR)</a> will hand EU citizens more control over how organisations use their personal data, and impose stringent rules on how organisations handle that data and what they can use it for.</p><p>In a discussion at TechUK's London headquarters today, Rob Luke, deputy information commissioner of the Information Commissioner's Office (ICO), said that organisations typically ask the UK data watchdog for granular guidance "often people will say to us: tell us what we need to do'".</p><p>He added that the ICO was "working at pace to produce detailed guidance, both at national level but also European level guidance produced by the Article 29 EU Working Party, to which we are making a major contribution".</p><p>Organisations should be proactive in gaining compliance, rather than adopt a reactive approach to their GDPR preparations, motivated solely by a mindset of compliance or risk management, the ICO contends.</p><p>"Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law," says Luke.</p><p>"Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won't go far wrong," he adds.</p><p>Luke believes that preparations for the forthcoming regulations boiled down to two words: "transparency" and "accountability".</p><p>"Being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business," Luke explains</p><p>GDPR, he believes, is a board-level issyue no matter the size of the company, not least because under GDPR the regulator "wields a bigger stick". For the most serious violations of the law, the ICO will have the power to fine companies up to 20million or 4%of a company's total annual worldwide turnover, whichever is larger.</p><p>But the cost to business of poor practice in this area goes above and beyond any fine the ICO could impose, Luke argues.</p><p>"Losing your consumers' trust could be terminal for your reputation and for your organisation," he says."A model where organisations take an approach to data protection which earns the trust of consumers in a more systematic way [is better]. And where that trust translates into competitive advantage for those who lead the charge."</p><p>Andrew Rogoyski, vice president of cyber security services at CGI UK, urges boards and CEOs to plan how their firms will achieve compliance, but doesn'tthink organisations could already be compliant with one year to go.</p><p>He warned that the regulations could "amplify potential share price movements as a result of a data breach" and therefore boards' and CEOs' attention is "crucial".</p><p>While GDPR is helpful now, he thought it would be different in a few years' time. "If you think about 2025 and automation there will be key differences in handling information and privacy."</p><p>David Erdos, a lecturer in law and the open society at Cambridge University, sees GDPR as a step up in terms of a rules-based approach. "The aim is harmonisation across Europe" but derogations from this will have an important impact," he says.</p><p>Erdos adds that he doesn't think the UK will move away from EU's fundamental values on data protection following Brexit.</p><p>Emma Butler, data protection officer at digital identity firm Yoti, says that adhering to GDPR regulations starts in the legal department but "actually it is [about] change management".</p><p>"GDPR is an opportunity to make sure you are doing information governance really well," she claims, adding that there are threats and risks coming from GDPR but these shouldn't be an organisation's sole focus.</p><p>Antony Walker, deputy CEO of TechUK, believes there are questions about whether the UK will continue to stay in step with evolving data policy discussions in Europe, adding that the ICO is "clearly very influential" but Brexit now "limits the amount of time available to consider how to implement GDPR in a UK context".</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/it-regulation/27955/ico-outlines-its-gdpr-guidance-priorities" data-original-url="/it-regulation/27955/ico-outlines-its-gdpr-guidance-priorities">ICO outlines its GDPR guidance priorities</a> General Data Protection Regulation (GDPR) <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes" data-original-url="/security/27563/how-to-get-ready-for-gdpr-2018-data-protection-changes">GDPR preparation: 2018 data protection changes</a></p></div></div><p><em>Picture credit: Rene Millman/IT Pro</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO investigating use of data in political campaigns ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/strategy/28683/ico-investigating-use-of-data-in-political-campaigns</link>
                                                                            <description>
                            <![CDATA[ The investigation will determine if parties breached data protection laws ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">omk2zyDjSe9jQorAaZkEYX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 18 May 2017 10:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Brexit]]></media:description>                                                            <media:text><![CDATA[Brexit]]></media:text>
                                <media:title type="plain"><![CDATA[Brexit]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) has said it will begin a formal investigation to assess whether political groups were using analytics in a way that breached data protection laws.</p><p>The announcement follows an initial assessment in March, which looked at the use of analytics to shape political campaigning and contact people based on individual data. It appears that the ICO has gathered enough evidence of data protection violations to merit a full-blown investigation.</p><p>"Given the big data revolution, it is understandable that political campaigns are exploring the potential of advanced data analysis tools to help win votes," wrote information commissioner Elizabeth Denham, <a href="https://iconewsblog.wordpress.com/2017/05/17/information-commissioner-elizabeth-denham-opens-a-formal-investigation-into-the-use-of-data-analytics-for-political-purposes" target="_blank">in a blog post</a>.</p><p>"The public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing," she added.</p><p>Political parties are able to contact members of the public to promote political agendas, however to do so falls under the category of 'direct marketing', which is subject to data protection laws. The ICO has responded to complaints in the past where individuals have received direct contact from political parties without their consent.</p><p>A recently published report by the <a href="https://www.theguardian.com/politics/2017/may/15/tory-facebook-ads-attack-corbyn-while-labour-avoids-mentioning-him" target="_blank"><em>Guardian</em></a> revealed how political parties were targeting messages at voters through their Facebook pages, and tailoring the content based on individual data.</p><p>The use of analytics came under the spotlight in the aftermath of the Brexit vote, when it emerged that US-based Cambridge Analytica, which claims to be the"global leader in data-driven campaigning", was involved with the Vote Leave campaign. However this association was never declared to the election watchdog.</p><p>The ICO also said that although the use of data analytics by political parties is becoming more frequent, the level of awareness among the public about how their data is collected and shared remains low. "Having considered the evidence we have already gathered I have decided to open a formal investigation into the use of data analytics for political reasons," said Denham.</p><p>The investigation will run alongside current investigations into practices deployed during the EU referendum campaign, but could expand beyond that into similar political movements. This investigation will remain a "high priority" for the ICO, according to Denham.</p><p>"I am conscious that opening this formal investigation coincides with ongoing campaigning ahead of the General Election," said Denham. "The timing of my decision is unrelated to the current campaign, but I would nonetheless remind all relevant organisations of the need to comply with the law."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/strategy/28679/uk-public-no-longer-trusts-online-businesses-with-its-data" data-original-url="/strategy/28679/uk-public-no-longer-trusts-online-businesses-with-its-data">UK public no longer trusts online businesses with its data</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/data-protection/28029/latest-gdpr-news-uk" data-original-url="/data-protection/28029/latest-gdpr-news-uk">GDPR news: GDPR turns six months old</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ TalkTalk hack: Two men plead guilty to TalkTalk hack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/24136/talktalk-hack-two-men-plead-guilty-to-talktalk-hack</link>
                                                                            <description>
                            <![CDATA[ Tamworth pair admit to offences under the Computer Misuse act ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bRmsUTvsTdpE6oTQ5vRPRy</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/qEcx36CEunvfEHU8NxuM58-1280-80.png" type="image/png" length="0"></enclosure>
                                                                        <pubDate>Thu, 27 Apr 2017 09:29:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/png" url="https://cdn.mos.cms.futurecdn.net/qEcx36CEunvfEHU8NxuM58-1280-80.png">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[TalkTalk logo]]></media:description>                                                            <media:text><![CDATA[TalkTalk logo]]></media:text>
                                <media:title type="plain"><![CDATA[TalkTalk logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/qEcx36CEunvfEHU8NxuM58-1280-80.png" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><strong>Jump to "What to do if you think you have been affected"</strong></p><h2 id="latest-news">Latest News</h2><p><strong>27/04/2017: </strong>Two men have admitted their part in a hacking attempt on TalkTalk's website.</p><p>Matthew Hanley, 22, and Connor Allsopp, 20, pleaded guilty to charges relating to the massive data breach in October 2015.</p><p>The pair admitted their part in a plot to steal the personal details of thousands of customers, the Old Bailey heard. The pair from Tamworth, Staffordshire, will be sentenced in May.</p><p>The court heard how Hanley hacked into TalkTalk's website and obtained a spreadsheet containing TalkTalk customers' details.</p><p>Hanley also pleaded guilty yesterday to three offences under the Computer Misuse Act, including the hacking of the TalkTalk website, obtaining files that would enable the hacking of websites and supplying files to enable the hacking of websites to others.</p><p>Allsopp pleaded guilty on 30 March to assisting fraud and sharing a file that could help other hackers. </p><p>The Metropolitan Police identified Hanley as a suspect in their investigations and was arrested last October. Officers seized computers and devices from his address but found they had been wiped or the data encrypted so they couldn't access it.</p><p>Police then looked at Hanley's social media accounts and found conversations where Hanley had been discussing his involvement and actions in hacking into TalkTalk's website and discussing how he had deleted incriminating data from his computers and encrypted his devices to cover his tracks.</p><p>The online conversations also revealed that having stolen data from the telco, Hanley then got Allsopp to try and sell the personal data of customers so that the pair could profit from it.</p><p>Police arrested Allsopp this month and showed him these chat logs. Allsopp admitted that he had unsuccessfully tried to sell customer data that Hanley had stolen, as well as sell details of the vulnerabilities on TalkTalk's website that would enable others to hack into it.</p><p>Detective chief inspector Andy Gould, from the Met's Falcon Cyber Crime Unit, said that no matter how hard criminals try to conceal their activity, "they will leave some kind of trail behind".</p><p>"This investigation has been painstaking and the work our detectives have done to trace and identify those involved has combined cutting-edge digital forensic techniques, with old-fashioned detective work that has led to the conviction of several of those involved and the investigation continues," he added.</p><p>The pair are due to be sentenced on 31 May at the Old Bailey.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/desktop-software/23940/porn-now-blocked-on-talktalk" data-original-url="/desktop-software/23940/porn-now-blocked-on-talktalk">Porn now blocked on TalkTalk</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28348/three-suffers-another-data-breach" data-original-url="/security/28348/three-suffers-another-data-breach">Three suffers another data breach</a></p></div></div><p><strong>15/11/2016:</strong> A 17-year-old boy has admitted to seven charges of hacking, two of which relate to the TalkTalk data breach in October 2015.</p><p>The teenager, who cannot be named for legal reasons, pleaded guilty to all seven offences under the Computer Misuse Act at Norwich Youth Court today.</p><p>TalkTalk lost 60 million as a result of the hack, in which 157,000 customers had their details stolen, including bank account numbers, sort codes, and dates of birth.</p><p>UK data protection regulator the Information Commissioner's Office (ICO) fined the mobile operator a record 400,000 for the incident. Information Commissioner Elizabeth Denham said last month: "TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease."</p><p>The teenager will be sentenced on 13 December, after also targeting Manchester University Library and Cambridge University Library, among others. According to <a href="http://news.sky.com/story/boy-17-admits-hacking-offences-linked-to-talktalk-attack-10658405"><em>Sky News</em></a>, he told the court: "I didn't really think of the consequences at the time. I was just showing off to my mates."</p><p><strong>05/10/2016:</strong> TalkTalk has been issued <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack">with a record 400,000 fine</a> by the Information Commissioner's Office (ICO) following the large-scale data breach in October 2015, due to "security failings".</p><p>The ICO's in-depth investigation found that the attack on the company last year could have been prevented if TalkTalk had taken basic steps to protect customers' information and that the firm allowed the cyber attacker to access customer data "with ease".</p><p>ICO investigators found that the cyber attack took advantage of technical weaknesses in TalkTalk's systems, allowing attackers to access the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.</p><p>Information Commissioner Elizabeth Denham said: "TalkTalk's failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk's systems with ease.</p><p>"Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action."</p><p>The data was taken from an underlying customer database that was part of TalkTalk's acquisition of Tiscali's UK operations in 2009, and was accessed through an attack on three vulnerable webpages within the inherited infrastructure.</p><p>The ICO said TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.</p><p>TalkTalk was also not aware that the installed version of the database software was outdated and was no longer supported by the provider.</p><p>A criminal investigation by the Metropolitan Police has been running separately to the ICO's investigation.</p><p>A TalkTalk spokesperson did not indicate if the telco will appeal the fine.</p><p>They said: "TalkTalk has cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.</p><p>"During a year in which government data showed nine in ten large UK businesses were successfully breached, the TalkTalk attack was notable for our decision to be open and honest with our customers from the outset. This gave them the best chance of protecting themselves and we remain firm that this was the right approach for them and for our business.</p><p>"As the case remains the subject of an ongoing criminal prosecution, we cannot comment further at this time."</p><p><strong>20/07/2016: </strong>Around 9,000 TalkTalk customers left the provider in its <a href="http://www.talktalkgroup.com/articles/2016/July/Trading-update-for-the-3-months-to-30-June-2016--Q1-FY17-.html">latest quarter</a>, as the operator continues to feel the aftereffects of last year's hack that spilt the data of 157,000 users. </p><p>Revenues declined 0.4 per cent year-on-year and TalkTalk also lost 23,000 TV customers.</p><p>However, it added 48,000 mobile users to its books and 36,000 fibre customers.</p><p>TalkTalk CEO Dido Harding said: "We are very pleased with how the year has begun. Revenue growth was level year on year despite a smaller customer base and churn was down year on year as we drove growth in mobile and fibre, and delivered real improvements in our customers' experience. </p><p><strong><strong>22/06/2016:</strong></strong> TalkTalk's chief executive, Dido Harding, has earned 2.8 million in the last 12 months, despite the performance of the network being subject to a number of hacks and staff's bonuses being cut substantially.</p><p>This is almost triple the amount Harding was paid in the previous 12 months and has caused some controversy within the company.</p><p>Around 2 million of the Baroness's pay relates to a long-term incentive scheme linked to the company's performance over the last three years, <a href="http://www.ft.com/cms/s/4f4bc532-36bd-11e6-a780-b48ed7b6126f,Authorised=false.html?siteedition=uk&_i_location=http%3A%2F%2Fwww.ft.com%2Fcms%2Fs%2F0%2F4f4bc532-36bd-11e6-a780-b48ed7b6126f.html%3Fsiteedition%3Duk&_i_referer=http%3A%2F%2Fwww.theweek.co.uk%2Fe8004d063ad590fd43b6a20494cc7bc4&classification=conditional_standard&iab=barrier-app#axzz4C6Oria5r">according to <em>The Financial Times</em></a>, despite profits having declined by 50 per cent over the course of the year.</p><p>However, Harding has said that the 220,000 bonus she was supposed to be paid for the last year's performance will be donated instead to the Ambitious About Autism charity, rather than her receiving it. The reason for this, she said, is because the company caused such strife to those involved in the operator's hack in October.</p><p>TalkTalk said it would be cutting bonuses of the company's senior staff from 62 per cent to 40 per cent due to profits reducing as a direct result of the hack. It is estimated the slip up will cost TalkTalk 60 million to rectify.</p><p><strong>12/05/2016:</strong> Customers have forgiven TalkTalk for last year's devastating cyber attack, CEO Dido Harding claimed today, despite profits halving and 100,000 users jumping ship.</p><p>The telecoms provider, which released <a href="http://www.talktalkgroup.com/investors/results-centre">its annual financial report</a> today, was adamant that customers are positive about the company, despite losing thousands of customers' data last October.</p><p>Harding said: "The vast majority of customers believe we looked after them. The business bounced back strongly in the final quarter following the cyber attack in October."</p><p>She added that the number of customers leaving has been the lowest ever in the last three months, saying this is "testimony to the speed with which customer sentiment towards TalkTalk has recovered", and that "trust in the brand and brand consideration [are] both higher than they were before the attack".</p><p>However, the report also revealed that the company lost more than 100,000 customers and had to spend over 40 million as a direct result of the attack, which slashed its annual profits by more than half.</p><p>TalkTalk's customer loss only amounts to around three per cent of its total customer base. While this is a substantial loss for a major business, <a href="https://www.cable.co.uk">Cable.co.uk</a> telecoms expert Dan Howdle believes that it should have been substantially higher.</p><p>"TalkTalk suffered three major security breaches in 2015, something savvy customers should not easily forgive," he said. "That TalkTalk lost only three per cent of its existing customer base, however, points to problems... with the switching process itself."</p><p>He pointed out the fact that while the company dished out unconditional free upgrades to its customers in response to the attack, it did not allow unhappy customers to freely leave their contracts.</p><p>"Clearly the situation needs improvement. If a provider fails in its remit to protect its customers and their data there should be a free get-out clause. There isn't, and that has allowed TalkTalk to limit the damage the attack caused it," he concluded.</p><p><strong>15/04/2016: </strong>Over 125,000 customers have abandoned TalkTalk's broadband services during the first four months of this year.</p><p>It is estimated that around 17 per cent of their customers are considering leaving their broadband services as well, according to <em><a href="http://www.theregister.co.uk/2016/04/14/talktalk_entices_more_customers_back_post_hack">The Register</a></em>.</p><p>TalkTalk has continued to lose broadband customers, but has gained an overall increase of business partly due to lowered prices and promotional offers.</p><p>Thus far TalkTalk has had a strong first quarter, with 40 per cent of their new customers choosing to subscribe to their services due to competitive pricing. The company's "triple play" service also yielded an increase of 3.2 per cent, raising their total market share for the category to 12.2 per cent.</p><p>BT remains the most dominant provider, having captured nearly one third of the market (31.5 per cent) in competition with other service providers. Their closest competitor, Sky, having recently lost 5 per cent of their market share, now holds 23.3 per cent of the market.</p><p>This progress shows that the company is gaining forward momentum since they were hacked, which compromised personal data of over 150,000 customers. The incident ran up a bill of around 60m and a loss of over 100,000 customers.</p><p><strong>17/03/2016: </strong>TalkTalk is swapping passwords for voice biometrics following the cyber attack that affected 157,000 of its customers.</p><p>The mobile operator will let users access their accounts via voice recognition, rather than requesting their passwords or answers to pre-set questions, which may have been compromised by hackers.</p><p>Nuance, the company providing TalkTalk with the voice recognition technology, said its software compares a customer's voice to their unique voiceprint and securely authenticates the customer - or flags the call if fraud is suspected.</p><p>TalkTalk claimed it is the first mobile operator to introduce the technology, doing so after the cyber attack it suffered cost the firm an estimated 60 million, as well as 100,000 customers leaving the firm.</p><p>The banking industry already uses voice recognition, with <a href="https://www.itpro.com/security/26078/hsbc-to-replace-passwords-with-biometric-banking" data-original-url="https://www.itpro.com/security/26078/hsbc-to-replace-passwords-with-biometric-banking">HSBC most recently deciding to replace passwords with biometrics</a>, also supplied by Nuance.</p><p><strong>02/02/2016: </strong>TalkTalk has revealed last year's cyber attack cost the company 60 million, almost double an initial estimate.</p><p>A <a href="http://www.investegate.co.uk/talktalk-telecom-gp--talk-/rns/q3-fy16-trading-update/201602020700077118N">trading update</a> on Tuesday revealed that the hack had cost far more than the estimated 35 million, though TalkTalk also experienced revenue growth of 1.8 per cent in Q3, with earnings expected to reach 255 million - 265 millon by the end of the year.</p><p>Dido Harding, TalkTalk CEO, said: "It is encouraging to see the business returning to normal after a challenging quarter that was dominated by the cyber attack. Our customers have responded well, with almost half a million customers choosing to take up our unconditional offer of a free uprade.</p><p>"Both churn and new connections recovered during December and January and independent external research has revealed that customers believe that we acted in their best interest. In fact trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident."</p><p><strong>28/01/2016:</strong> Police have arrested three people at one of TalkTalk's Indian call centres on suspicion of stealing customers' data, sparking further questions about the care with which the telecoms company treats its customer records.</p><p>The men were arrested by the Indian authorities in connection with the stolen data, which they allegedly used to make scam calls from a call centre in Kolkata, according to a <a href="http://blogs.channel4.com/geoff-white-on-technology/arrests-talktalk-subcontractor-personal-data-breaches/1926"><em>Channel 4</em> investigation</a>.</p><p>In response, TalkTalk said it is working with international outsourcer Wipro, which runs the call centre, and local police.</p><p>The mobile provider said in a <a href="http://www.talktalkgroup.com/press/press-releases/2016/talktalk-cracks-down-on-scam-calls.aspx">statement</a>: "Acting on information supplied by TalkTalk, the local police have arrested three individuals who have breached our policies and the terms of our contract with Wipro. We are also reviewing our relationship with Wipro."</p><p>It added: "We are determined to identify and deal effectively with these issues and we will continue to devote significant resource to keeping our customers' data safe. Data theft and scams are a growing issue affecting all businesses and they are notoriously difficult to investigate and prosecute. We are pleased that our investigations have yielded results, and will continue to do everything we can to tackle these crimes."</p><p>The incident is only the latest data breach TalkTalk has suffered, and it comes hot on the heels of an attack last October in which 157,000 customers had their details stolen, including bank account numbers, sort codes, and dates of birth.</p><p>Information commissioner Christopher Graham told MPs this week that companies needed to strengthen their security to prevent similar data losses, the <a href="http://www.ft.com/cms/s/0/ce731bc0-c526-11e5-b3b1-7b2481276e45.html#axzz3yX3MdKMw">Financial Times</a> reported.</p><p>The Information Commissioner's Office (ICO) is investigating the TalkTalk data breach as part of the Cyber security: Protection of personal data online inquiry.</p><p><strong>21/01/2016:</strong> Customers are leaving TalkTalk in their droves after the mobile operator's data hack last year, research from Kantar Worldpanel ComTech shows.</p><p>Seven per cent of TalkTalk's broadband base switched to a different provider in the fourth quarter of 2015, Kantar's figures show.</p><p>The research firm said there was "no doubt" that the company lost potential customers as a result of its data hack.</p><p>Almost a fifth of those leaving TalkTalk did so as a direct result of poor reliability a four per cent increase on the previous quarter, when fewer than one per cent cited this reason.</p><p>Imran Choudhary, consumer insight director at Kantar Worldpanel, said: "TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack.</p><p>"If it's to recover from recent events TalkTalk will need to offer more than just good value."</p><p>The telecoms firm's systems were breached last October, and 157,000 customers had their details stolen, which included bank account numbers, sort codes, and dates of birth.</p><p>The hack has already cost the company 35 million in one-off costs to resolve the immediate backlash related to 15,600 of those leaked bank details.</p><p>TalkTalk chief executive Dido Harding talked down the long-term repercussions for the brand at the time, saying: "Customers think we're doing the right things".</p><p>BT benefitted from the exodus, with 12 per cent of its new customers saying their primary reason for joining was because they saw it as a trusted supplier. That figure was twice the market average.</p><p><strong>16/12/2015:</strong> Police recommended that TalkTalk stayed quiet about attacks on its site while detectives carried out their investigations and made arrests.</p><p>At a House of Commons <a href="http://www.parliamentlive.tv/Event/Index/73368590-d756-4a37-badb-8174ac8ef239" rel="nofollow">Culture, Media and Sports Committee</a>, CEO Dido Harding told MPs that the cyber attack was "one of the most difficult periods for the TalkTalk board and for me personally".</p><p>"It was clear by lunchtime on Thursday (22 October) that the sensible thing to do to protect my customers was to warn all of them because I could help make them safer. I could give them free credit monitoring, I could warn them not to accept these scam calls," she told committee members.</p><p>"For completely understandable reasons, the advice we received that Thursday afternoon from the Metropolitan Police was not to tell our customers."</p><p>She said she opposed the idea of compensation claims being valid and added she was "not aware of anyone who has directly lost money as a direct consequence of the attack. Any who have suffered a direct financial loss should get in direct contact. We wish to deal with on a case-by-case basis." </p><p>Harding added that the Telecoms Ombudsman "is there to adjudicate, and customers not getting fair redress from their insurance company, bank, or telco, should go there."</p><p>In reply to questions over who was responsible, Harding said that no one individual in the firm was.</p><p>"It really does come back to the CEO and board. Was there sufficient oversight in terms of the security policies, the resourcing of the technology team to implement those policies, and the knowledge and understanding of best practice?</p><p>"It is a board level issue, not an individual issue below."</p><p><strong>25/11/2015: </strong>An 18-year-old boy was arrested in Llanelli, Wales, over the TalkTalk data hack yesterday.</p><p>The teenager becomes <a href="http://news.met.police.uk/news/fifth-arrest-in-talktalk-investigation-139221?utm_campaign=send_list&utm_medium=email&utm_source=sendgrid">the fifth person detained</a> in relation to the cybercrime incident and was arrested on suspicion of blackmail, and taken into custody at a Dyfed Powys police station.</p><p>The four others arrested a 16-year-old boy from Norwich, on suspicion of offences under the Computer Misuse Act, a 20-year-old man from Staffordshire, a 16-year-old boy from Feltham and a 15-year-old from County Antrim, Ireland, all subsequently bailed. </p><p>A total 157,000 customers had data stolen in October's cyber attack, TalkTalk has confirmed, with cybercriminals making off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth. </p><p><strong>20/11/2015:</strong> A law firm is considering legal action against TalkTalk on behalf of customers whose data was lost in the mobile operator's latest leak.</p><p>Hugh James law firm, based in Cardiff, told the <a href="http://www.theguardian.com/money/2015/nov/19/second-law-firm-considers-group-action-against-talktalk-for-cyber-attack"><em>Guardian</em></a> it has been approached by victims of the data breach and is encouraging others to come forward to join a possible group legal action against the company.</p><p>Partner Gwen Evans said: "Since the serious security breach occurred last month, we have been approached by a number of TalkTalk customers who are naturally concerned about whether their personal data has been accessed and misused. </p><p>"We are considering whether there is a case to take group legal action against TalkTalk because it is highly likely that the Data Protection Act 1998 will have been breached during this time."</p><p>A total 157,000 customers had personal data stolen in the October attack, TalkTalk has confirmed.</p><p>Cybercriminals also made off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth.</p><p><strong>16/11/2015: </strong></p><p>Writing in the <a href="http://www.theguardian.com/commentisfree/2015/nov/15/talktalk-hack-cannot-be-shrugged-off-data-security"><em>Guardian</em></a>, professor of the public understanding of technology, John Naughton, said the mobile operator's board must take more responsibility for customer security, saying that the company's failure to encrypt users' data cannot be blamed solely on engineers.</p><p>"Companies like TalkTalk are up against professional criminals," he wrote. "They, therefore, need to up their amateurish game. If a company's business requires it to store customers' sensitive information, then data security has to be a board-level responsibility, up there with health and safety and regulatory compliance. It is not just a matter for techies and boffins."</p><p>He added: "There have to be serious criminal and civil penalties for carelessness, complacency or incompetence.</p><p><strong>11/11/2015:</strong> TalkTalk's cyber attack will cost it between 30 million and 35 million, it has admitted.</p><p>Despite just 160,000 customers losing personal data in last month's hack, shares in the mobile operator have dropped by a quarter since news of the incident went public.</p><p>But it blamed one-off costs like the loss of online sales for the predicted dip in earnings, and CEO Dido Harding <a href="http://www.talktalkgroup.com/press/press-releases/2015/talktalk-reaffirms-commitment-to-customers.aspx">today announced</a> a string of free offers to customers who have stayed with the firm as a way of thanking them.</p><p>Customers can choose a selection of free features, including extra TV channels, a mobile SIM with free texts, data and calls, and unlimited landline and mobile calls from 1 December.</p><p>Meanwhile, TalkTalk has announced a new bundle of online and telephone security features, such as F-Secure's anti-virus protection, web filter HomeSafe, and the ability to block cold callers.</p><p>Harding said: "TalkTalk takes the security of customers' data extremely seriously and we are taking significant further steps to ensure our systems are protected, as well as writing to all our customers outlining what we are doing to keep their data safe. "In recognition of the unavoidable uncertainty, and because we know that doing what is right for our customers will ensure the best possible outcome for the company over the longer term, we are today announcing the offer of a choice of free upgraded services to all our customers." </p><p><strong>06/11/2015:</strong> Only 156,959 TalkTalk customers had any personal data stolen in the hack on its systems, the mobile network has claimed - far fewer than the 1.2 million originally feared. Of those, roughly 10 per cent had their bank account number and sort code stolen, about 5,000 fewer than stated last week.</p><p>"Ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm only four per cent of TalkTalk customers have any sensitive personal data at risk. However, we continue to advise customers to be vigilant, and to take all precautions possible to protect themselves from scam phone calls and emails," the company said in an updated statement.</p><p>TalkTalk said it has now contacted all customers whose financial details were accessed and will be contacting all other affected customers over the next few days.</p><p>The company also claimed that "the financial information accessed cannot on its own lead to financial loss", however, stories of defrauded customers abound, including <a href="https://www.itpro.com/security" data-original-url="https://www.itpro.com/security/25557/talktalk-offers-defrauded-customer-30-compensation">one man who was offered just 30 as a "goodwill gesture" after 3,500 was stolen from his bank account</a> in the wake of the hack.</p><p><strong>04/11/2015: </strong>Police <a href="http://news.met.police.uk/news/boy-arrested-re-talk-talk-investigation-bailed-136429?utm_campaign=mm_email_notification&utm_medium=email&utm_source=sendgrid">have arrested a fourth person</a> in connection with the TalkTalk data hack, this time a 16-year-old boy from Norwich.</p><p>The teenager was detained by police yesterday on suspicion of offences under the Computer Misuse Act after the National Crime Agency and the Met's Cyber Crime Unit obtained a warrant to search an address in the city.</p><p>The boy has been released on bail until late March 2016, after a 20-year-old man was arrested in Staffordshire in connection with the cybercrime incident, and bailed until early March.</p><p>Two other boys a 16-year-old from Feltham and a 15-year-old from County Antrim, Northern Ireland have also been arrested and bailed in connection with the attack.</p><p>More than a million customers were affected by the hack, TalkTalk has confirmed, while 21,000 bank account numbers and sort codes were stolen. </p><p><strong>03/11/2015: </strong>TalkTalk customer data is being sold on the dark web for as little as 20p per record, according to reports.</p><p>An <em><a href="http://www.lbc.co.uk/exclusive-lbc-tracks-down-talk-talk-hacking-victims--119043">L</a></em><a href="http://www.lbc.co.uk/exclusive-lbc-tracks-down-talk-talk-hacking-victims--119043"><em>BC</em> investigation</a> claimed it found 2,500 customer accounts on the dark web and used a sample of the data from the criminals selling it to contact victims of the hack, including a woman called Louisa Jenkins.</p><p>She told the Nick Ferrari Breakfast show: "I'm quite angry. It feels like your details are never safe."</p><p>The news comes days after a <a href="http://www.mirror.co.uk/news/uk-news/hacked-talktalk-information-sale-organised-6744695">Sunday People investigation</a> that found a criminal calling himself Martian claimed to sell TalkTalk data on a dark website called Alpha Bay for 1.62 a time, offering information in bulk.</p><p><strong>02/11/2015: </strong>Hackers stole 1.2 million customers' email addresses, names and phone numbers in the TalkTalk data breach, the company has confirmed.</p><p>However, the cybercriminals only made off with 21,000 bank account numbers and sort codes, along with 28,000 obscured credit and debit card details and 15,000 dates of birth, the mobile operator said in a <a href="http://help2.talktalk.co.uk/oct22incident">statement</a> on its website.</p><p>With speculation over just how many of its four million customers were affected by the attack last month, TalkTalk said, "the extent of the data accessed is significantly less than originally suspected".</p><p>CEO Dido Harding said: "Today we can confirm that the scale of the attack was much smaller than we originally suspected, but this does not take away from how seriously we take what has happened and our investigation is still ongoing.</p><p>"On behalf of everyone at TalkTalk, I would like to apologise to all of our customers. We know that we need to work hard to earn back your trust and everyone here is committed to doing that."</p><p>Credit and debit card information, which was missing the middle six digits at the time that hackers accessed it, cannot be used to make financial transactions.</p><p>TalkTalk has shared the bank details of affected customers with their banks to help prevent fraud and has partnered with credit check company Noddle to offer customers a free year of credit monitoring alerts.</p><p>The Metropolitan Police Cyber Crime Unit's criminal investigation is ongoing.</p><p>Detective Superintendent Jayne Snelgrove said: "TalkTalk have done everything right in bringing this matter to our attention as soon as possible. Our success relies on businesses being open with us and each other about the threats they encounter." </p><p><strong>02/11/2015: </strong></p><p>He was taken into custody by Staffordshire police on suspicion of offences under the Computer Misuse Act and is the third person held in connection with the case after one 15-year-old boy from Northern Ireland and one 16-year-old boy from west London were arrested and subsequently bailed last week. </p><p>The 16-year-old has been bailed until a date as yet to be revealed by police while the 15-year-old from Northern Ireland is on bail until later this month.</p><p><strong>30/10/2015: </strong>Police have arrested a second teenage boy in connection with the TalkTalk hack, this time, a 16-year-old from West London. </p><p>The boy was arrested on suspicion of Computer Misuse Act offences, reports <a href="http://www.bbc.co.uk/news/uk-34675235"><em>BBC News</em></a>, but has since been bailed. This follows the arrest of a 15-year-old boy from Northern Ireland, who was arrested earlier in the week. </p><p>A property in Liverpool has also been searched, according to the Metropolitan Police.</p><p><strong>27/10/2015:</strong> TalkTalk has announced it will still charge customers affected by the TalkTalk hack a fee if they want to discontinue their service and cancel their contract.</p><p>However, it will waive termination charges if a customer can prove they have had money stolen from their bank accounts, although it denies this is a likely scenario because neither bank details nor credit card information was stolen in the attack.</p><p>"In the unlikely event that money is stolen from a customer's bank account as a direct result of the cyber-attack [rather than as a result of any other information given out by a customer], then as a gesture of goodwill, on a case-by-case basis, we will waive termination fees," it said in a statement.</p><p>Also this morning, the Police Service of Northern Ireland revealed the 15-year-old arrested last night in County Antrim in relation to the hack has been released on police bail pending further enquiries.</p><p>However, Jonathan Craig, a member of the Policing Board in Northern Ireland, <a href="http://www.belfasttelegraph.co.uk/news/northern-ireland/talktalk-hack-co-antrim-boy-15-released-on-police-bail-over-cyber-attack-34144693.html">told the <em>Belfast Telegraph</em></a> that should the boy be found to be implicated in the attack it "raises questions" for TalkTalk as to how a teenager from County Antrim could have breached a major telecoms provider.</p><p><strong>26/10/2015: </strong>Labour accused the government of chaos and incompetence over its response to the TalkTalk data breach today, as reports emerged of a 15-year-old boy's arrest in connection with the attack.</p><p>Shadow minister for culture and the digital economy Chi Onwurah questioned her Tory counterpart Ed Vaizey over Whitehall's data policy, claiming it has failed to keep up with cybercriminals' endeavour. </p><p>Speaking <a href="http://www.parliament.uk/business/publications/hansard/commons/todays-commons-debates/read/unknown/249">in the House of Commons today</a>, Onwurah said: "This government's data policy is chaos illuminated by occasional flashes of incompetence. Will the minister acknowledge that all the innovation has come from the criminals while the government sit on their hands, leaving it to businesses and consumers to suffer the consequences?" </p><p>Her comments came hours before Scotland Yard <a href="http://news.met.police.uk/news/arrest-re-talktalk-investigation-135026?utm_campaign=mm_email_notification&utm_medium=email&utm_source=sendgrid">confirmed</a> a 15-year-old boy had been arrested on suspicion of Computer Misuse Act offences.</p><p>The Police Service of Northern Ireland and the Met's cybercrime unit arrested the teenager in County Antrim at 4.20pm today and have taken him into custody.</p><p>The hack has led to victims' bank accounts being emptied by cybercriminals, with millions believed to have had their personal details leaked after TalkTalk admitted it had not encrypted customer data.</p><p>Vaizey failed to confirm whether or not police would receive more resources to respond to the hacking case and its victims after Onwurah questioned how the government would help police.</p><p>Instead, he replied: "The police have extensive resources with which to combat cybercrime, and we are the government who set up the national cybercrime unit.</p><p>"We have invested more than 860 million in cyber-security and we have a number of very effective schemes with which to engage business."</p><p>TalkTalk reported the breach to UK data watchdog the Information Commissioner's Office on Thursday, Vaizey added, a day after the breach took place.</p><p>However, he refused to reveal how many customers TalkTalk believe have been affected by the breach it is thought to be in the millions, but the figure remains unconfirmed. </p><p><strong>25/10/2015: </strong>TalkTalk has admitted it did not encrypt customer data such as credit card details and telephone numbers after hackers stole potentially millions of customers' information. </p><p>CEO Dido Harding told <a href="http://www.thesundaytimes.co.uk/sto/news/uk_news/National/article1624162.ece"><em>the Sunday Times</em></a> today: "It wasn't encrypted, nor are you legally required to encrypt it.</p><p>"We have complied with all of our legal obligations in terms of storing of financial information."</p><p>The mobile operator has four million users but has not confirmed how many it believes were caught up in the data breach it suffered earlier this week.</p><p>However, TalkTalk could face thousands of legal claims from victims, with the total payout rising to around 20 million, according to insurance law firm BLM, including the cost of replacing four million credit cards.</p><p>Partner and head of technology Tim Smith told the <a href="http://www.ft.com/cms/s/0/d17f77ee-7b0e-11e5-a1fe-567b37f80b64.html#axzz3pbZhEk41"><em>Financial Times</em></a>: "[It is] quite probable that customers will sue for a breach of the Data Protection Act and a breach of confidence and privacy rights."</p><p>Meanwhile, an 80,000 ransom note received by Harding from someone claiming responsibility for the hack included a table of 400,000 TalkTalk customers who have recently undergone credit checks with the company, <a href="http://krebsonsecurity.com/2015/10/talktalk-hackers-demanded-80k-in-bitcoin"><em>KrebsOnSecurity</em></a> reported.</p><p>It comes after <em>the Times</em> claimed yesterday that victims' bank accounts had been emptied by hackers, adding that TalkTalk had ignored criticism of its online security a year ago.</p><p><strong>23/10/2015 3pm: </strong>TalkTalk's CEO has received a ransom note purportedly from the hackers responsible for a huge data hack that could affect millions of customers.</p><p>Dido Harding told <a href="http://www.bbc.co.uk/news/uk-34615226"><em>BBC News</em></a>: "It is hard for me to give you very much detail, but yes, we have been contacted by, I don't know whether it is an individual or a group, purporting to be the hacker. </p><p>"All I can say is that I had personally received a contact from someone purporting - as I say I don't know whether they are or are not - to be the hacker looking for money."</p><p>The email will be examined by the Metropolitan Police, which is investigating the hack.</p><p>It is not yet clear how many customers' data has been lost in the leak, but TalkTalk has four million users and the information lost includes names, addresses, dates of birth, telephone numbers and credit card details not all of this was encrypted. </p><p>The mobile operator lost the data in the middle of a distributed denial of service (DDoS) attack, during which its servers crashed under huge volumes of traffic.</p><p>It is believed hackers may have used the DDoS attack to distract TalkTalk's security team while they pinched the data.</p><p>The mobile operator has recommended people change their passwords as soon as its site goes back online, and this latest breach is the third in 12 months to hit the company.</p><p><strong>What could happen to customers?</strong></p><p>Christopher Boyd, malware intelligence analyst at Malwarebytes, said hackers could target customers with phishing attacks now they have their details.</p><p>"People should be paying close attention to emails and other communication which appear to be genuine at first glance," said Boyd.</p><p>"If those messages are asking for additional information, service sign-ups or providing refund request attachments they should think very carefully before proceeding, lest they fall victim to a malware attack or yet another incident of data theft."</p><p>IT security company ESET warned that criminals will also use the data to steal customers' identities.</p><p>Security specialist Mark James said: "The data of all their customers will almost certainly be used for potential identity theft along with the obligatory attempts at financial access with any current information they may have attained.</p><p>"There was some partial' encryption of credit card numbers, we are led to believe, but businesses need to understand that all our private data has a value, not just the direct financial stuff."</p><p><strong>The consequences for TalkTalk</strong></p><p>The Information Commissioner's Office (ICO) has been notified of the breach and will investigate it, potentially leading to a fine of up to 500,000 for TalkTalk.</p><p>But Mahisha Rupan, senior associate at law firm Kemp Little, said TalkTalk's swift notification to customers of the breach could mitigate any such penalty.</p><p>"The ICO is likely to take into account TalkTalk's response to the breach and its attempt to limit any losses incurred by the customer," said Rupan.</p><p>ESET's James added that TalkTalk should bolster its security following the attack, saying: "Companies should implement proper use of cryptography, encrypting the sensitive data and hashing the passwords in a cryptographically sound way. We are forced to trust companies with our data and so often that trust is lost through no fault of our own."</p><p><strong>23/10/2015 10am:</strong> TalkTalk has confirmed that hackers have once again infiltrated its website in what the company has called a "sustained" cyber attack that took place on Wednesday this week. </p><p>It is not known just how many of the firm's four million customers have been affected but hackers are believed to have been able to gain access to a wide range of sensitive information including names, addresses, dates of birth, email addresses, telephone numbers and other TalkTalk-specific account data. </p><p>Perhaps more concerning for TalkTalk customers is the fact that credit card or bank details have also been exposed as the company confirmed that such information may be among the data hackers had access to during the cyber hack. </p><p>Yesterday, the comms giant announced that the Metropolitan Police had launched a full criminal investigation into the issue, in addition to issuing an apology to customers, which started with the words no customer wants to hear: "We're very sorry..."</p><p>"We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed," TaklTalk's managing director (consumer) Tristia Harrison said in a statement issued <a href="http://help2.talktalk.co.uk/oct22incident">online</a>. </p><p>TalkTalk said it had taken measures to secure the website after the hack and that it constantly reviews its system security to protect data and prevent subsequent attacks. However, many users will take convincing as this is not the first time TalkTalk has suffered a data breach. Back in February this year (see story below), the company confirmed hackers had stolen personal user information and were targeting customers with scam phone calls.</p><p>"We would like to reassure you that we take any threat to the security of our customers' data very seriously," Harrison's statement continued. </p><p>"...Unfortunately, cyber criminals are becoming increasingly sophisticated and attacks against companies which do business online are becoming more frequent."</p><p>The incident has been reported to the ICO and TalkTalk has contained major banks to keep them on high alert for suspicious activity on customer accounts. It has also recommended that customers monitor their own accounts for any unauthorised or unusual activity and to also check their credit reports held with the main agencies Call Credit, Experian and Equifax.</p><p>TalkTalk has also addressed frequently asked questions related to the attack online to help customers better understand what has happened and how they might be affected.</p><p>In response to the question 'Why were you targeted?' the company has responded: "Unfortunately TalkTalk is by no means an isolated incident. Barely a week goes by now without cybercriminals using increasingly hostile and sophisticated methods to target companies that do business online. It's not just companies like TalkTalk that are being targeted, banks, retailers like Apple and even the US Government have been victims."</p><p><strong>27/2/15: </strong>TalkTalk has confirmed hackers accessed its systems and stole personal information about its customers, resulting in some receiving follow-up phone calls from scammers.</p><p>In a statement issued to <em>IT Pro</em>, TalkTalk confirmed a small number of its four million customers had their account names and numbers compromised. </p><p>"We are aware of a small but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly," the firm said in a statement.</p><p>"We want to reassure customers that no sensitive information like bank account details has been illegally accessed, and TalkTalk Business customers are not affected."</p><p>TalkTalk confirmed the Information Commissioner's Office, which is responsible for enforcing the Data Protection Act, has been made aware of the breach.</p><p>The data theft came to light following an uptick in reports from customers about receiving suspicious-sounding phone calls from individuals claiming to work for TalkTalk at the end of 2014, TalkTalk said in an email to customers.</p><p>"In a small number of cases, customers told us that the criminals were quoting their TalkTalk account number, as well as their phone number," it states.</p><p>"Following further investigation into these reports, we have not become aware that some of the information we have about some customers their name, home address, phone number and TalkTalk account number could have been illegally accessed in violation of our security procedure.</p><p>"Please rest assured that your sensitive information of date of birth, bank or credit card details have not been illegally accessed," it adds.</p><p>The email then goes on to reiterate that TalkTalk will never take its customers banking details over the phone or ask them to download any kind of software onto their computers.</p><p>"Preventing all scam and nuisance calls is a high priority for us. We are doing everything possible to prevent this from happening again, and to protect you from all malicious and nuisance calls. </p><p>"In some cases we are able to block certain callers, including those from these criminal organisations, from ringing customers on our network, if they've breached a strict set of criteria.</p><p>"You can also block your number from receiving unsolicited sales calls by registering with the Telephone Preference Service," the email concludes. </p><h2 id="what-to-do-if-you-have-been-affected-by-the-talktalk-hack">What to do if you have been affected by the TalkTalk hack</h2><p><em>Advice from Wim Remes, Rapid7</em></p><p>"We often hear the question "What can users of a compromised service do?" - If you suspect that personal data is compromised, there are several steps you can take. These are actually the same steps you should consider in order to minimise the impact of a compromise:</p><ul><li>If you have used the same password as for the compromised service anywhere else, change the passwords for all those services. Consider configuring two-factor authentication if the service supports it.</li><li>If your bank allows this, restrict the amount of money that can be transferred without additional authorisation to the lowest possible amount that keeps it practical for you.</li><li>Never perform actions in relation to your bank account or customer record based on a phone call you receive from a self-proclaimed representative of your bank or service provider. It is your right to request additional identification and phone calls, while direct, are never used as a last resort before your account is blocked.</li><li>Watch your bank statements closely and do not keep all money in your current account, just enough to cover expenses/bills for the next 30 days or whatever time period works for you.</li><li>Keep track of all your online accounts and manage them as if they constitute the contracts they are related to. If an online account is not strictly necessary, consider to cancel it in order to limit your data footprint as much as possible."</li></ul><p><strong><em>This article was originally published on 27/02/15 and has since been updated numerous times as new facts emerge, most recently on 16/12/2015.</em></strong></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO says UK should adopt EU-style data protection rules post-Brexit ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/27336/ico-says-uk-should-adopt-eu-style-data-protection-rules-post-brexit</link>
                                                                            <description>
                            <![CDATA[ Elizabeth Denham said the UK needs tougher penalties for people who breach regulation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">6Bpi9SQyNMYdNz88NSSjhX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 04 Oct 2016 07:23:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Clare Hopping ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Brexit]]></media:description>                                                            <media:text><![CDATA[Brexit]]></media:text>
                                <media:title type="plain"><![CDATA[Brexit]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/xGJJMYUZdxiikGsnfxxRrK-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>UK information commissioner Elizabeth Denham has made her first speech after taking on the role, announcing her commitment to transforming the UK's data privacy laws, suggesting an EU-like policy needs to be put in place.</p><p>She explained research by the ICO revealed only one in four Brits trust UK businesses with their data and the primary aim of her five years in office is to change that, building a culture of data trust in the country.</p><p>"At the end of my five year term my wish is that we are at a place where citizens and consumers have much more confidence in organisations' use of personal data," she said. "I want that survey figure of one in four to go up."</p><p>This will be done by transforming the UK's data and protection policies, aligning them with the EU's mission. It will be a "progressive regulatory regime that stands up to scrutiny, that doesn't leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe."</p><p>Europe's new privacy laws, which come into effect in 2018, will come down harder on businesses that don't comply with the regulations, including hefty fines - up to 4% of a company's annual turnover.</p><p>Although Denham didn't reveal whether such fines would be imposed on UK companies should they not meet the guidelines, she suggested such action was necessary in order to protect the UK trade and UK citizens.</p><p>"The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow," she explained. "It is fundamental to the digital economy. In a global economy we need consistency of law and standards the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent."</p><p>Denham added that she's currently in talks with ministers and senior officials in government to help it come up with a fair set of policies that should be transformational rather than negatively affecting business.</p><p>"Legislative change does bring nervousness, but it also brings opportunity. These changes stronger data protection law and enforcement are aimed at inspiring public trust and confidence," she concluded.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/public-sector/26119/would-a-brexit-weaken-data-privacy-in-the-uk" data-original-url="/public-sector/26119/would-a-brexit-weaken-data-privacy-in-the-uk">Would a Brexit weaken data privacy in the UK?</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ ICO investigates WhatsApp-Facebook data sharing deal ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/27157/ico-investigates-whatsapp-facebook-data-sharing-deal</link>
                                                                            <description>
                            <![CDATA[ Data watchdog says it will "pull back the curtain" on how information will be shared ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">w8Sk5w7ELMmcnAiHa3bNgb</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UhtFxexEWXgHA62r8DXZo4-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 26 Aug 2016 15:10:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Joe Curtis ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UhtFxexEWXgHA62r8DXZo4-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UhtFxexEWXgHA62r8DXZo4-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Information Commissioner's Office (ICO) will investigate <a href="https://www.itpro.com/apps/27150/whatsapp-will-let-businesses-chat-with-you-in-advertising-push" target="_blank" data-original-url="https://www.itpro.com/apps/27150/whatsapp-will-let-businesses-chat-with-you-in-advertising-push">WhatsApp's decision to share users' data with Facebook</a>, it has confirmed.</p><p>Elizabeth Denham, the new information commissioner, said she plans to "pull back the curtain" on exactly how people's data is being shared between the two firms, following yesterday's announcement.</p><p>WhatsApp will let businesses chat to users on its platform for the first time in the next few months, but also changed its terms and conditions to allow it to pass users' information onto its parent company Facebook, which bought it for 11.2 billion in 2014.</p><p>The UK's data watchdog said there may be nothing wrong with the decision to share data, but that it has a responsibility to check.</p><p>Denham said in a <a href="https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/08/statement-on-changes-to-whatsapp-and-facebook-s-handling-of-personal-data" target="_blank">statement</a>: "The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it'll give them a better service, others may be concerned by the lack of control.</p><p>"Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.</p><p>"We've been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this."</p><p>WhatsApp believes that by sharing data with Facebook, the social network can serve better adverts to users, as well as allowing the chat platform "to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp".</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/strategy/26949/elizabeth-denham-appointed-ico-boss" data-original-url="/strategy/26949/elizabeth-denham-appointed-ico-boss">Elizabeth Denham appointed ICO boss</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/strategy/23240/eu-approves-facebook-whatsapp-acquisition" data-original-url="/strategy/23240/eu-approves-facebook-whatsapp-acquisition">EU approves Facebook-WhatsApp acquisition</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/26764/facebooks-mark-zuckerberg-covers-webcam-with-tape" data-original-url="/hacking/26764/facebooks-mark-zuckerberg-covers-webcam-with-tape">Facebook's Mark Zuckerberg covers webcam with tape</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Trump resort will not be charged for breaching data laws ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/27086/trump-resort-will-not-be-charged-for-breaching-data-laws</link>
                                                                            <description>
                            <![CDATA[ Presidential hopeful's Scottish golf course failed to register under the Data Protection Act for four years ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">bRL4g9Rt6rXzeuKgWKq795</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NtFY9ZetbGnXyVNRakNUYd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 12 Aug 2016 09:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Centres]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NtFY9ZetbGnXyVNRakNUYd-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[trump]]></media:description>                                                            <media:text><![CDATA[trump]]></media:text>
                                <media:title type="plain"><![CDATA[trump]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NtFY9ZetbGnXyVNRakNUYd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Donald Trump's Aberdeenshire golf resort will not be investigated or prosecuted, despite failing to register with the Information Commissioner's Office under the Data Protection Act.</p><p>Every company that handles personal information is required by law to register under the DPA, but Trump International Golf Links Scotland, established in 2012, failed to do so until Thursday, the ICO told <em>IT Pro</em>.</p><p>The hotel and golf course complex has now registered under the act, and the data privacy watchdog says that it has no intentions of prosecuting the organisation for its four-year lapse.</p><p>"Where data controllers respond to advice from the ICO that they need to notify and complete the registration process," a spokesperson said, "it generally would not be a proportionate response to then commence a prosecution.</p><p>"We treat those that we regulate in a consistent way and to pursue the golf course in these circumstances would be inconsistent to how we have dealt with others in similar circumstances."</p><p>However, an ICO spokesman pointed out to <em>IT Pro</em> that just because an organisation is registered under the Data Protection Act does not mean that it is automatically compliant with it. Trump's resort could still find itself in hot water if it does not take adequate steps to ensure the security of its' customers' data.</p><p>The company, which claims to have hosted tens of thousands of guests, told <a href="https://www.theguardian.com/us-news/2016/aug/11/trump-scottish-golf-resort-admits-breaching-data-protection-law?CMP=twt_gu"><em>The Guardian</em></a> that the lack of registration was a "clerical oversight".</p><p>"We take the security of our employees and guests' personal data very seriously," a statement read, "and comply with all aspects of the Data Protection Act."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ New ICO chief: UK can navigate post-Brexit data protection problems ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/data-protection/27077/new-ico-chief-uk-can-navigate-post-brexit-data-protection-problems</link>
                                                                            <description>
                            <![CDATA[ Elizabeth Denham insists that Brexit will not stop UK protecting data ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">puiHWKSTwLBSoaViGU58xX</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 11 Aug 2016 09:35:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Protection]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Joe Curtis ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The new Information Commissioner believes the UK can navigate Brexit to successfully update its data protection laws.</p><p>Elizabeth Denham, who joined the Information Commissioner's Office (ICO) from an equivalent position in British Columbia last month, gave a bright assessment of the future of Britain's data protection, despite the vote to leave the EU causing uncertainty.</p><p>In her first newsletter for the UK's data watchdog, Denham wrote: "The result of the EU referendum and its impact on data protection reforms will undoubtedly create uncertainty, as any period of flux does. It's clear to me though that the UK is well equipped to navigate the changes ahead successfully.</p><p>"Data protection is a team sport. Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large."</p><p>Her comments come after the minister for data protection <a href="https://www.itpro.com/data-protection/26862/doubt-clouds-future-of-uk-s-post-brexit-data-protection-rules" data-original-url="https://www.itpro.com/data-protection/26862/doubt-clouds-future-of-uk-s-post-brexit-data-protection-rules">admitted Brexit has created doubt</a> over whether the UK will need to formulate its own laws instead of adopting the EU's General Data Protection Regulation, <a href="https://www.itpro.com/data-protection/26476/gdpr-gets-a-deadline-25-may-2018" data-original-url="https://www.itpro.com/data-protection/26476/gdpr-gets-a-deadline-25-may-2018">which comes into force in May 2018</a>.</p><p>Baroness Lucy Neville-Rolfe said: "Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way."</p><p>It is widely accepted the UK will need to prove it provides an adequate level of data protection if EU data is transferred here.</p><p>Denham's tenure itself was in doubt when it emerged that the government had failed to get the Queen's consent for her appointment in time.</p><p>But now in the post, she indicated that she plans to engage with stakeholders about the future of data protection regulation, saying: "Data protection is a team sport. Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large.</p><p>"We all have an important role to play in this, and I look forward to the opportunity to work with you during my time here."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Elizabeth Denham appointed ICO boss  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/strategy/26949/elizabeth-denham-appointed-ico-boss</link>
                                                                            <description>
                            <![CDATA[ Denham will be tasked with helping the UK leave the EU without any knock-on effects on privacy ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dg64ToDbu6Yb9dYsrke64P</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 19 Jul 2016 08:28:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Public Sector]]></category>
                                                    <category><![CDATA[Business]]></category>
                                                                                                                    <dc:creator><![CDATA[ Clare Hopping ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UNFKPhh6QzWV4ekNzN5YLA-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Elizabeth Denham has started in her new role of Information Commissioner this week, taking over from previous head of the ICO, Christopher Graham.</p><p>Denham's term will include the period running up to and the aftermath of the UK's exit from the European Union, presenting a number of challenges, including whether to adopt the General Data Protection Regulation to help the UK's trade with other European countries or to come up with a new set of rules and regulations.</p><p>Other challenges include helping the ICO decide how to deal with data thieves in the UK, whether this is by giving judges more powers or new legislation that would pass the responsibility onto another official body.</p><p>"I am delighted to have taken up this position and am excited about the challenges ahead. I look forward to working with staff and stakeholders to promote openness by public bodies and data privacy for individuals," Denham said in a statement.</p><p>Elizabeth Denham has been working in data protection and regulation for the last 12 years. The Canadian previously held similar positions in her native country and since 2010 she has been the Commissioner at the Office of the Information and Privacy Commissioner for British Columbia.</p><p>Her previous achievements include launching an investigation into the way Facebook handles privacy, which led to some changes to the way the company uses data. She will be paid 140,000 in her new role, which will last for five years as a minimum term.</p><p>Between Graham's departure in June and yesterday, Deputy Commissioner Simon Entwisle stood in as Information Commissioner.</p><p>Her appointment was announced back in April, when Jesse Norman, chair of the committee said: "The committee noted with interest Ms Denham's views on a range of topics, including the possible retention of emails as official records, the extension of FoI and directors' liability for data breaches, in particular."</p><p>"We also noted Ms Denham's track record on data protection with government in British Columbia, and her proactive approach to protection of privacy with major international technology companies," Normal continued.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>