Category Archives: Data Protection Act 1998

Last week, as part of Olswang's GDPR readiness and Talking Retail webinar series', lawyers from the firm's data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction.  In this session our speakers looked at the following:
  • Targeted and non-targeted advertising
  • Privacy policies
  • Processing customer payment details
  • Post purchase analysis
  • Data breaches
  • GDPR implementation
The webinar was hosted by Katie Nagy de Nagybaczon, a partner in the Corporate Team, who focuses on the retail, eCommerce and technology sectors. The two speakers were:
  • Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
  • Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
Please follow this … Continue Reading ››
The Information Commissioner's Office (ICO), the UK's data protection regulator, is cracking down on the online gambling sector's use of personal data to promote online gambling. It has contacted around 400 companies to threaten them with fines of up to £500,000 if they are found to be collecting and using personal data for marketing in a manner which does not comply with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). In its press release, the ICO said it is writing to over 400 companies, all believed to be egaming marketing affiliates, demanding they set out how they use people’s personal details and send marketing texts, including where they got people’s personal information from and how many texts they sent. What is the ICO worried about? The ICO has expressed concern that the prolific use of affiliate marketing is resulting in a lack of accountability, … Continue Reading ››
What is the new code and what does it recommend? The Information Commissioner's Office (ICO) on 7 October 2016 has published a new code of practice on privacy notices, following its consultation back in February of this year. It provides guidance to organisations on how to make privacy notices more engaging and effective for individuals while emphasising the importance of greater choice and control over what is done with their data. The ICO has also published a useful checklist of the information that needs to be included in the privacy policy. You can check the ICO's privacy notice checklist here. The code rightly states that current privacy notices tend to be "too long, overly legalistic, uninformative and unhelpful" and recommends a blended approach. It encourages the use of different techniques, such as a just-in-time message informing the data subject why their email is needed or a short video explaining how … Continue Reading ››
Security breaches always get a lot of press attention but to date there haven't been that many large fines imposed by the Information Commissioner's Office (the "ICO") in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA's seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk's failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/ This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656. When imposing … Continue Reading ››
Olswang has just published the latest edition of the Cyber Alert, a regular round up of regulation, best practice and news from our international cyber breach and crisis management team.  There is a great deal to report since our last update in October 2014.  In February, the Olswang team visited our friends in the US, co-hosting a cyber workshop in Silicon Valley and presenting to the Los Angeles chapter of the IAPP on the latest status of the General Data Protection Regulation.  You can read our December 2014 status update on the draft Regulation, which includes an analysis of data breach notification here. In this edition:
With headlines frequently reporting large-scale cyber attacks, the UK’s cybersecurity measures – and their weaknesses – are under constant scrutiny and criticism. Yet many businesses fail to give sufficient priority to cybersecurity. The City of London Police Commissioner has claimed that businesses will not properly focus on cybersecurity until a cyber attack causes a major global company to cease trading. In the same speech, the Commissioner said that he believed the UK Government is doing “all it can” to address the threat. Defending against the menace of cyber attack cannot be achieved by any government on its own. The private sector and wider public sector will have to take their share of responsibility to help secure the digital resources of the UK. Nevertheless, it certainly helps the cause to have strong leadership from government. In this article we consider whether the UK Government really is doing all it can to promote the … Continue Reading ››
UK standards and benchmarks