This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

Three Graces Legal is a commercial law firm which has many years' experience in dealing with civil claims for compensation, including large commercial dispute matters. We also deal with claims arising out of breach of the Data Protection Act and GDPR.

Our specialist data protection claims solicitor, Aaron Pearson, is a GDPR practitioner and the firm has acquired the standard of ISO17024 for GDPR practitioner and Cyber Essentials.

We make compensation claims on behalf of individuals and businesses who have been adversely affected by a breach of the Data Protection legislation. 

We offer a wide-range of funding arrangements, including been able act for you under a no win, no fee agreement.

We are specialists in pursuing civil claims for a breach of the Data Protection legislation. The law is constantly evolving to keep up with such a changing landscape, particularly where data is concerned. More than ever, we have to ensure that we remain vigilant, while organisations who collect and process our data must take measures to avoid a breach, otherwise they may be faced with a claim for compensation.

Compliance with data protection law, and moreover, the GDPR, is vital. We act for many businesses in advising them how to stay compliant so as to avoid any unwanted legal proceedings for breach of data protection laws. Equally, we act for individuals who have suffered some harm as a result of a data protection breach.

Three Graces Legal have seen how the changes arising from the existing Data Protection Act 1998, which was usurped by the European Directive, enabling a person to claim compensation for distress alone, has developed to be written into the General Data Protection Regulation. This now enables an individual to rely on a binding EU Regulation to claim compensation for distress arising out of a data breach.   

Recently, there has been discussion regarding whether or not it is GDPR-compliant to transfer encrypted data on applications based outside of the EU. An example of this is Dropbox, as they have US-based servers, therefore if personal data is transferred through the Dropbox system, then technically it has been transferred outside of EU jurisdiction and is no longer GDPR compliant.

However, personal data sent in this format is usually encrypted and only the necessary individuals are given the encryption key to gain access to the data. So, in this instance, is the transference of the data compliant?

Although, the data may have been transferred outside of the EU the encryption key is not stored on the Cloud servers, therefore there is no identifiable information from the provider. However, there is always a possible risk that a data breach will occur if an unauthorised source obtains the key by force.

The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data, this raises the risk profile of the data set.

For Personal Data that does not fall into one of either:

Following Google’s announcement this week (8 October 2018) regarding a data breach in 2015, they have temporarily shut down their social network Google+, where a security bug enabled third party developers to gain access to user data, potentially affecting around 496, 951 Google+ users.

The announcement on Monday was the first time Google discussed the breach, which although occurred three years ago, was not exposed and remedied until March 2018. Google’s reasoning for late exposure was relayed in an internal memo, which discussed the avoidance of “regulatory interest”, and potential comparisons to Facebook’s Cambridge Analytica scandal.

The bug may have allowed third party developers to gain access to usernames, email, gender, data of birth, location, pictures, as well as occupation and relationship status. However, there is no concrete evidence to confirms this (as Google only holds API data for two weeks) therefore they cannot determine how many users were exposed. Google have advised that there was “no evidence that any profile data was misused” as well as there being “no evidence that any developer was aware of this bug, or abusing the API”.

According to a study from the Information Commissioners Office (ICO), data breaches have shown a 75% increase in the past two years.

The report was conducted by Kroll, one of the top corporate investigations and risk consulting firms, based out of the US. Kroll compiled data breach reports which were submitted to the ICO, regarding breaches of personal data, including financial and health details. Some of the data contained in the reports were of public knowledge, whilst other forms of data were accessed under the Freedom of Information Act.

The final report established that over 2,000 reports submitted to the ICO were due to human error in the past year, with the most common grounds for a data breach being: data being sent by email or fax to the wrong recipients and the loss or theft of paperwork.

In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

Imagine the scenario: you hold marketing data, collected from lead generation firms, meetings, seminars etc maintained as a contacts database for marketing purposes. You have already contacted some of the people on this database, but others you have not.

In order to comply with the GDPR requirements you need to know:

How is this affected by GDPR?

Do you need contact all the earlier contacts to get consent?

Can this be deemed legitimate business use?

When seeking to acquire informed consent the default solution tends to be that you can obtain a written consent from each and every customer. This is of course perfectly fine, if it is manageable. But even  overcoming this task leaves the burden of gathering the consent documents and filing them, followed by ensuring the data is correct etc.

Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out, and look at alternative lawful bases.

Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

There has been some debate on what must be included in an SAR:

Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

The Article 29 Working Party (WP29) published an assessment of the balance between legitimate interests of employers, and the reasonable privacy expectations of employees. In which it outlines the risk assessment posed by modern working practices, where new technologies enable more systematic processing of employees’ personal data at work, which bring about challenges in regards to privacy and data protection.

Processing of personal data on the use of online services and location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras, yet they encapsulate our lives more so.

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU. 

The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. 

Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.

A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.