Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

Before Brexit is finalised, there is a lot of work to be done, with one of the most recent priorities being data transference between the UK and the EU. This is because both the Government and businesses have expressed their reservations regarding personal data traffic post-Brexit, especially in the event of a ‘no deal’ Brexit. 

In order to combat this issue, a new Data Law Committee has been implemented in order to discuss future legislation regarding Data Protection and Privacy law. The City of London Law Society announced the introduction of the Data Law Committee, with Jon Bartley, the chairman of the committee describing it as “pivotal moment” for Privacy law.

The Committee is in place in order to discuss all aspects of Data Privacy and Cybersecurity legislation. However, Jon Bartley, the Committee Chairman and Partner at the Corporate and Insurance law firm Reynolds Porter Chamberlain, announced that Brexit is “our first and most urgent area of interest.”.

The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU. 

The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. 

Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.

Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

According to research from the professional services firm KPMG, 39% of UK-based CEOs are convinced that a cyber-attack is inevitable, and on a global scale nearly half of CEOs agreed with this statement. KPMG surveyed 1200 CEOs from around the world, including 150 leaders from the UK, where they were asked to discuss company challenges and future plans.

In order to protect organisations against cyber-attacks, UK CEOS discussed how a durable strategy for their cyber security is essential, as according to 74% of UK leaders, cyber security is a trust enabler. Although only 39% believe they are “very well” equipped for when a cyber-attack does occur.  

KPMG’s UK vice chair, Bernard Brown discussed how:

Personal data is defined within Article 4 of the General Data Protection Regulation (GDPR) and means solitary or group data that can be used to identify an individual. The following are examples of personal data:

• Name
• Home address
• Driver’s license

• WHEN TO HIRE A DATA PROTECTION OFFICER

   

  

   Under the GDPR, you must appoint a data protection officer (DPO) if you:

  1) are a public authority (except for courts acting in their judicial capacity);
  2) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

  3) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

• WHICH? UNCOVERS UNDERHANDED TACTICS OF POPULAR PHONE APPS

  

  The Consumer Rights Association Which? have devised a report after monitoring 29 popular apps utilised by both iPhone and Android users, in which they discovered the underhanded tactics of several app companies when obtaining personal data.

  Which? found that several of these companies uncovered borderline-lawful means in order to obtain unnecessary information from customers who were unaware, as they neither had the time nor were willing to read the overcomplicated and long data protection policies. After the consumer body found that:

  “Based on average reading it would take 22 hours, 21 minutes to read all the policies in one go.”

  The report also showed that despite the General Data Protection Regulation (GDPR) being implemented in May 2018, there were still organisations ignoring the fundamentals of the regulation:

• WITHDRAWING CONSENT AND RIGHT OF ERASURE

   

   

  

   

   

  In respect of the data subject enforcing their rights, it should first be noted that withdrawing consent, i.e. removing the controller's right to use your data, is not the same as the right of erasure. Consent is specific and unambiguous and is given for a particular activity.

   

  For example, many of us will use an online web form to download a document. If there is a check box to receive marketing material from the site, and we tick the box, we will receive the marketing materials. 

   

  If we later withdraw the marketing consent, will our information be erased as well?