This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

Maintaining absence management in the workplace is vital, in order to establish guidelines for staff, whether they are absent for short or long-term illness, maternity or paternity leave, or a staff member takes a few days off work of their own accord, without providing a reason why, or may not even inform their employer.

These absences must be regulated by the employer, in order to maintain order in the workplace.

 The following steps should be taken to achieve quality absence management:

A media access control (MAC) address of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment.

On page 11, paragraph 2, the WP29 states "it should be noted that these MAC addresses are personal data, even after security measures such as hashing have been undertaken."

The CJEU's judgment, in C-582/14 Breyer, refers to dynamically assigned IP addresses. Given MAC addresses can be mimicked or changed, it may seem odd that they are considered personal data. However, there are very good reasons WP29 state MAC addresses should be regarded as personal data:

When dealing with a statutory demand the creditor can follow the bankruptcy process or winding-up proceedings, although usually as a last resort to assist the creditor with the details of the debtor’s assets. A bankruptcy or winding-up petition is usually filed by a creditor, in the event that the debtor is unable to pay.

Creditors must be made aware of avoiding an allegation of abuse of process, which occurs when a creditor petitions for bankruptcy or the winding-up process in order to obtain collateral or any other grounds separate from the initial debt. As the new debt that the creditor is claiming for is undisputed, and therefore abuses the bankruptcy process.

In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):

•  Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
• Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCR's and make the distinction between what must be included in BCR's to be presented to the competent supervisory authority in the BCRs application. The amendments will also effect corresponding the principles with the Article 47 text references for controller BCR's, as well as providing further guidance on each of the requirements.

The question of whether an employer grievance should disrupt disciplinary proceedings is one up for debate, as the answer is not definitive. As all cases are unique, therefore it is not all grievances cause disruption to disciplinary proceedings , as there may be some proceedings that are affected by a grievance, whereas others are not.

In some cases, the Employment Tribunal may decide to suspend proceedings to allow the employer to attend to any grievance issues raised by the employee.

On other occasions, the disciplinary procedure can run simultaneously with the grievance procedure, as usually the grievance is raised as a response to the disciplinary proceedings brought against the employee. Therefore, the grievance can be dealt with in the disciplinary hearing.

Employers should be aware of the risks involved when changing employment contracts, as employers cannot change contracts unilaterally, therefore employers should ensure that they adhere to the lawful processes when considering changing the terms of an employee contract.

An employer should make sure that they go through the correct procedure when making changes to a contract, ensuring that there will be no negative implications for the employee, as they may risk breaching the contract.

If a breach occurs then the organisation could face extensive damages, as well as unfair constructive dismissal claims.

Supporting GDPR Gap Analysis and Audits

 There are various tools out there which cover essential elements on a data project, such as data discovery, data mapping and data lineage. Meanwhile, gap analyses tend to be performed by traditional auditing methods, such as reviewing the organisational and process documents and liaising with those departments involved in data processing. 

Below is a non-exhaustive list of support tools:

Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

What are the necessary steps to take when an organisation is served a disputed statutory demand?

When dealing with corporate insolvency, unlike personal insolvency, there is no prescribed process when setting aside a statutory demand. Organisations should also be aware of receiving a winding-up petition which could tarnish, or even ruin even the most acclimated business, especially if it is advertised.

The winding-up process is when an organisation must sell all the assets of a business, in order to pay their debts to creditors, followed by allocating any remaining assets to partners or shareholders and then dissolving the business.

The GDPR law is not the only new European privacy regulation everyone is talking about. There has been a lot of discussion regarding the ePrivacy Regulation, which deals with e-communication, although technically it is a revised version of the ePrivacy Directive or the ‘cookies law’. The ePrivacy Regulation was initially supposed to be introduced on 25^th of May 2018, the same day as GDPR. However, it has been delayed but it is still expected to come in to effect this year pending review by the European Union’s member states.

Although, some of the changes may appear small, as a whole it will have a huge impact in the long run and will also make organisations more aware of the regulations they must adhere to, which will also align with GDPR requirements.

A Data Protection Impact Assessment (DPIA) is a procedure which assists you in detecting and minimising data protection risks of a project. You should always complete a DPIA when undertaking tasks of a high risk, usually new tasks or projects.

In order to conduct an assessment, you can utilize certain applications in order to produce an efficient DPIA.

The need for cyber security professionals has increased rapidly this year, which is why the Department for Digital, Culture, Media and Sport (DCMS) has setup a consultation until the 31^st August, which will support the National Cyber Security Strategy (NCSS), in developing the cyber security profession further. The consultation caters to a wide-ranging demographic, including cybersecurity specialists, current UK-based organizations for cybersecurity specialists, law enforcement and academia sectors including students and graduates.

This announcement was made following The Joint Committee for the NCSS’ criticisms regarding the lack of urgency from the government in relation to the critical status of the UK’s cybersecurity infrastructure. As well as critique relating to inequality, with Kamila Hankiewicz, the managing director of Girls In Tech stating that:

An employer should be vigilant when considering an employee dismissal, ensuring that they carry out an essential enquiry in to the matter at hand, before deciding on a dismissal, as this option should be the last resort.

Before considering a dismissal, an employer should try to resolve any issues on an informal basis, which could involve a private chat with the staff member in question, before deciding the next steps to take.

Employers must ensure that they have written rules regarding disciplinary procedures, and that all staff are aware of these rules and procedures.  

What is the difference between disputed debt and good debt in a statutory demand?

Disputed debt in a statutory demand is when a creditor attempts to claim debt that the debtor claims is not owed to them, therefore they are not insolvent.

A good petitioning debt is when the debt is in a liquidated form - which is both specific and agreed - for immediate or future payment whilst the debtor cannot afford to pay the debt.

Document management solutions provide:

• structured organisation and control of documents
• enable search
• provide document security, audit, versioning
• capability to manage retention

What they are not necessarily capable of is identifying and separating personally identifiable information (PII) from everything else in each document.  

Recently, there has been discussion regarding whether or not it is GDPR-compliant to transfer encrypted data on applications based outside of the EU. An example of this is Dropbox, as they have US-based servers, therefore if personal data is transferred through the Dropbox system, then technically it has been transferred outside of EU jurisdiction and is no longer GDPR compliant.

However, personal data sent in this format is usually encrypted and only the necessary individuals are given the encryption key to gain access to the data. So, in this instance, is the transference of the data compliant?

Although, the data may have been transferred outside of the EU the encryption key is not stored on the Cloud servers, therefore there is no identifiable information from the provider. However, there is always a possible risk that a data breach will occur if an unauthorised source obtains the key by force.

From the 25^th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

This means employer’s must:

The Key terms and definitions you need to know: 

Binding corporate rules: personal Data Protection policies adhered to by controller or processor in the Member State for transfer of personal data to controller or processor in third country

Originally devised by Article 29 Working Party to transfer secure large data internationally while reducing bureaucracy

GDPR establishes conditions for Member State to establish own binding corporate rules to streamline international transfers.

In wake of the Third Reading of the Tenant Fees Bill, which is due to take place today, the House of Commons have published their briefing paper regarding Tenancy Deposit Schemes. The paper summarises the purpose of the scheme, outlining that all private landlords are obligated to protect their tenant’s deposit through the Tenancy Deposit Scheme. The paper also outlines the main functions of the Tenancy Deposit schemes, as well as exploring the issues and criticisms surrounding the scheme.

The main criticisms discussed within the briefing paper, include: non-compliant landlords, prolonged dispute resolution, abuse of the scheme, and resolute loopholes.

There have been further criticisms of the current Tenancy Deposit Scheme, with the Consumer Association group Which? labelling the scheme “broken”, due to the prolonged re-payments of deposits to tenants.