The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector.
Continue Reading UK Cyber- Security Breaches Survey

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of

A study by the International Association of Privacy Professionals has found that 28,000 data protection officers (DPO) will be needed in the next two years for companies to comply with the EU’s new General Data Protection Regulation (GDPR).  By the time the GDPR comes into force in 2018, in-scope entities will have to have their

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion

In 2015, a number of high-profile media and political events and several legal cases raised questions about personal data protection in the European Union. 2016 looks to be a pivotal year for reforms in personal data protection, including issues related to recent matters.

The following developments are anticipated:

  • The General Data Protection Regulation will form

On December 15, the EU Commission, Parliament and the EU Council reached an agreement, via the “trilogue” meetings on EU data protection reform.  The reform consists of two legal instruments:

  • The General Data Protection Regulation (GDPR)
  • The Data Protection Directive for the police and criminal justice sector

One of the huge advantages of the GDPR

A recent leaked draft proposal reveals the position of the E.U. Council as regards to the fines system that will come into force under the proposed new General Data Protection Regulation in the E.U. member states. The huge amount of fines that will hang over companies which, intentionally or by negligence, violate Europe’s fundamental right to data protection, explains the increasing interests of practitioners for data protection compliance.

We already knew that European law makers tend to a three-tiered system of fines, depending on the nature, gravity and duration of the infringement and the level of damage suffered by data subjects. Briefly, the lowest level corresponds to delays and modalities of responses to data subject requests, the middle level to the obligation of transparence before data subjects and data protection authorities (DPAs), and the highest level to various concrete infringements, as the lack of legal basis to process data, the failure to notify data breaches or data transfers outside the E.U. without adequate safeguards.

Whereas, the E.U. Parliament had set the highest fines at 5% of the business’ annual global turnover in its proposal, the draft document limits those amounts to 2%. In mid-June, E.U. ministers should endorse the whole text to allow final negotiations between the Council and Parliament to start, notably concerning the adequate level of sanctions.

This leak finds a particular resonance in the context of the recent decisions issued by French, Belgian and European authorities, which became increasingly insensitive to the big player’s positions on data protection. After putting Google under fire in the famous decisions of the E.U. Court of justice (CJEU, C-131/12), is now Facebook is in the limelight.Continue Reading EU Council Confirms the Forthcoming Strong Enforcement of Fundamental Right to Data Protection