Draft Data Protection (Charges and Information) Regulations 2018


Draft Regulations on the ICO registration fees were laid before Parliament on the 20th February. These draft regulations will come into force on 25th May (to coincide with the General Data Protection Regulation (GDPR)). The new Regulations set out the ICO registration fee scheme including the fee structure: Tier 1 – micro organisations You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40. Tier […]

WordPress 4.9.2 security release & YITH Wishlist vulnerability


On January 16th WordPress released a security update to patch a vulnerability in the latest version of WordPress. According to the release notes (the update fixes a number of bugs too), “an XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.” It is strongly recommended that you make sure your WordPress site is updated […]

ICO fines Carphone Warehouse £400k


Carphone Warehouse have been issued with one of the largest fines by the Information Commissioner’s Office after customer and employee data was compromised after a cyber-attack in 2015. The ICO cite “multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information” with the cause of  the breach being linked to out of date software (WordPress) and inadequate security protocols in place. With the General Data […]

Meltdown and Spectre chip vulnerability

privacy regulations

There’s been a lot of coverage of the recently announced chipset vulnerability that’s been found in major suppliers of computer chips (e.g. Intel, AMD). The vulnerability, if exploited, could allow hackers to access areas of, otherwise normally, inaccessible memory which may be used for storing sensitive data, passwords, encryption keys, etc. There’s been a lot of press coverage of the vulnerabilities over the last couple of weeks, so this post doesn’t serve to repeat what’s been said elsewhere, but to […]

ICO consulting on children’s data and GDPR

children's gdpr data

This week, the ICO published some draft guidance on GDPR and children’s data. The General Data Protection Regulation (GDPR) makes special mention of children’s data in Article 8 “Conditions applicable to child’s consent in relation to information society services”. This sets out that if you provide an online service directly to a child and where consent is the lawful basis for processing, consent must be sought from a parent or legal guardian. The GDPR defines a child as anyone under […]

ePrivacy update


Just as the EU have updated the data protection regime with the General Data Protection Regulation (GDPR) coming into force across Europe on 25th May 2018, it’s also set to update the privacy rules as well. The last ePrivacy Directive was implemented in the UK as the Privacy and Electronic Communications Regulations (PECR) and are probably better known for the rules around the use of cookies on websites. But ePrivacy also complements data protection in the area of direct marketing. […]

Draft guidance from Europe on interpretation of GDPR transparency rules

GDPR transparency

The Article 29 Working Party (the EU’s group of data regulators) have published draft guidance on the transparency aspects of the General Data Protection Regulation (GDPR). Transparency is a fundamental aspect of GDPR compliance and exists to empower data controllers to be open about what they’re planning on doing with their customer’s, employee’s, etc. data. Transparency isn’t a new thing for data protection, but the individual’s right to be informed (Articles 13  14) set out very specific rules about what […]

EU A29WP consent consultation indicates next year for ICO guidance


The data protection principle of consent is one of the significant areas of the General Data Protection Regulation (GDPR) that’s changing from the existing data protection rules and the one area that’s got marketing people over excited due to it’s rules about consent being “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating […]

Morrisons data breach case highlights wider reaching liabilities than just GDPR fines

A High Court judge has found Morrisons supermarket liable for a 2014 data leak where an employee leaked Morrisons staff payroll information. The employee was found guilty for the breach and is currently serving an 8 year prison sentence. However, some of the employees impacted by the breach (i.e. their details were leaked) took the supermarket to court to claim damages for threat of identity theft and potential financial loss. Whilst Morrisons argued they couldn’t be held liable for the […]

WordPress patches 4 new security issues


All versions of WordPress 3.7 onwards have been patched to fix four new security vulnerabilities. As reported in the security and maintenance release notes for v4.9.1, the following fixes have been implemented in the latest security release: Use a properly generated hash for the newbloguser key instead of a determinate substring. Add escaping to the language attributes used on html elements. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds. Remove the ability to upload JavaScript […]