10 tips to prevent email errors

November 2025

It’s confession time. I recently copied the wrong person on an email. Same first name, different surname. Thankfully, it was easily resolved. But for someone in my line of work? Shameful. It’s like a chef putting ketchup on a pasta dish. Nonetheless, I decided to try my best to learn from the experience. Which got me thinking about two issues in particular:

a) Email errors are not just one of the major causes of personal data breaches, but also downright awkward even where there’s no personal data risk. They can lead to sharing commercially sensitive information, or opinions. They can breach client trust.

b) What are the best ways of reducing instances of human error?

I know I’m not alone. Other data protection folk have admitted making the occasional mistake too. A good friend of mine once accidentally sent an email to a client – not a data breach but she did lose the client. I’ll also never forget receiving an email and finding myself reading a fellow colleague’s rather disparaging views about my team.

Of course, there are the frequent data breaches – often small, sometimes big, caused by matters like emailing the wrong recipient, or using the CC field for multiple recipients.

Yet, for many, it’s ‘just one of those things.’ Oops! Then the embarrassment fades… until next time. So is it really enough to keep reminding people to double check before sending? Won’t there always be times when we’re overworked, dashing to go on holiday, or distracted by personal issues? Is it good enough to rely on recall features? Probably not, when in practice they’re often completely ineffective.

People will continue to make mistakes. To err is human.

What else can we do?

10 email tips

Here are a few suggestions for reducing the risk.

1. Disable or restrict auto-fill
Yes auto-fill is a handy way to quickly go through our address book and predict who we want to email. Nonetheless, it sometimes chooses the wrong person… and we don’t notice. This is what got me. I’ve disabled this feature, and shouldn’t have had it enabled in the first place. I am now very content to spend a couple of seconds finding the correct email address.

2. Avoid email altogether 
Encourage (or insist) that staff who need to share attachments, personal data or any other sensitive information use links to protected SharePoint folders/files rather than using email.

3. Attachments
Use software to prevent or restrict any email containing an attachment.

4. Detect personal data
If 3. is a a step too far, look at using software which can automatically detect personal data in attachments or email content and prevents it being sent – or prompts people to check they really want to send.

5. External recipients
Implement user prompts for external email recipients – ‘are you sure you want to send this externally?’

6. Multiple recipients
Use controls to alert users if they’re emailing multiple recipients using the CC field – prompting them to use BCC. Alternatively for teams who routinely send emails using BCC, use a bulk mail solution.

7. Delay on send
How often do you spot an error just after you’ve sent an email? Setting up a delay on send for your staff, gives people a chance to correct their mistakes.

8. ‘Reply to All’
Set an alert if people are about to reply to all, prompting them to check whether this is appropriate.

9. Revoke access after sending
Some more advanced email security solutions give you the ability to recall or revoke access to an email and its attachments, even after it hits the recipient’s inbox.

10. Email review
Where teams are responsible for routinely sending sensitive information by email, and there’s no alternative, have a review process so someone else checks before sending.

It’s worth checking what controls are available on your email system or looking at  additional software solutions. Some of the prompts mentioned above are available using Outlook’s MailTips.

Of course training, continually raising awareness and clear rules all play their part. Making sure your people know how you expect them to behave is crucial.

It also needs to be clear what action people should take when they’ve made a mistake. Are staff permitted to try and rectify this themselves, or does it always need to be immediately reported? The steps you expect your staff to take need to be easily understood and reinforced in training and culture. This also means supervisors should lead by example.

I’m a fan of quick reference guides supporting more detailed policies and procedures. In this case, a ‘golden rules for emails’ on one page, in plain English. with the rules and clear steps for what to do when things go wrong. Laminate it, turn it into posters – do whatever works to get the message home.

Ultimately, mistakes are inevitable. What isn’t inevitable, though, is the impact mistakes have once the ‘send’ button’s been hit. Every little step taken to mitigate email errors lessens the impact when one inevitably slips through the net. Most of us, after all, recognise the occasional mistake will occur. The problem is if they happen too often, it can undermine confidence in your people, your organisation and your brand.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK Cyber Security Bill introduced to Parliament

November 2025

“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life.

I’m sending them a clear message: the UK is no easy target”.

Liz Kendall, Science, Innovation and Technology Secretary

New legislation has been introduced to Parliament which aims to strengthen the UK’s defences against cyber-attacks. The Cyber Security and Resilience (Network and Information Systems) Bill will reform and expand the scope of the existing Network and Information Systems (NIS) Regulations 2018.

This Bill is specifically aimed at targeting organisations which will have the most impact on improving the nation’s cyber resilience. It follows repeated warnings about the significant cyber-threat facing all organisations, along with new research published by the Government which estimates cyber-attacks cost the UK economy nearly £15 billion a year.

The Government says this new legislation is designed to bolster UK protections across essential public services such as healthcare, transport and energy against the threat of cyber criminals and state-backed actors.

Expanded scope

A range of companies which provide services critical to the UK’s national infrastructure will be regulated for the first time. It’s recognised that while the 2018 NIS Regulations cover services like the NHS, transport system and energy network, cyber criminals have been increasingly exploiting vulnerabilities in critical parts of supply chains.

For example, medium and large companies providing data centres, IT management, IT helpdesk support, AI development, payment services, email services and so on, will have new clearly defined duties. This is likely to include, but not be limited to, enhancing baseline protections, reporting significant cyber incidents promptly and having robust plans in place to deal with the consequences.

Many hospitals, councils, retailers and others rely heavily on external companies to support and deliver their services. A case in point is the company providing software services to the NHS which was fined by the ICO earlier this year following a cyber attack which disrupted critical services. ICO fines software company

“Large load controllers” will also be brought into the scope of cyber regulations, for example, organisations which manage electrical load for smart appliances.

New regulatory powers

The Bill is expected to give new powers to regulators to designate critical suppliers to the UK’s essential services. Examples given in the Government’s announcement include companies “providing healthcare diagnostics to the NHS or chemicals to a water firm, where they meet the criteria”.

Twelve regulators, including the ICO, are responsible for implementing the NIS Regulations, and the Bill aims to build a more consistent and effective regime, with a stronger mechanism for Government to set priority outcomes for regulators and a more robust ‘toolkit’ for sharing information, recovering costs and enforcement.

Tougher penalties

The maximum financial penalty will be amended to enable potentially higher fines for serious violations of the law. Turnover-based penalties, similar to UK GDPR, could be introduced. The hope is bigger penalties will push companies into complying rather than ignoring requirements.

This new Bill follows the Government’s Cyber Governance Code of Practice which was published earlier this year and sets out the steps organisations must implement to manage digital risks and safeguard their day-to-day.

Implementation

The Government says it plans a ‘sequenced approached to implementation’ with some of the Bill’s reforms taking effect as soon as possible, while also giving affected businesses and regulators time to plan and prepare. Some aspects of the Bill’s proposals will require secondary legislation before taking affect.

For more detail see the Government’s Summary of the Bill.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Key takeaways from Capita’s £14 million ICO fine

October 2025

“Cyber criminals don’t wait, so businesses can’t afford to wait either – taking action today could prevent the worst from happening tomorrow.” John Edwards, UK Information Commissioner

The ICO has hit Capita (Capita plc and Capita Pensions Solutions Ltd) with a combined £14 million fine following a cyber-attack in 2023. Capita avoided a much bigger fine by admitting liability, promising not to appeal and taking mitigating actions. 6.6 million people were affected by the data breach and 325 organisations who used Capita Pensions for their pension schemes were also impacted.

What can other organisations big and small, learn from this case?

What went wrong?

In summary,

The attack began when an employee unintentionally downloaded a malicious file giving the hackers access to company systems.
This triggered a security alert after just 10 minutes, but Capita took a further 58 hours to quarantine the compromised device.
Criminals were given enough time to deploy malicious software onto the Capita network and were able to move laterally across Capita’s system, exfiltrating data including special category data, financial and criminal records.
Nine days after the attack, ransomware was deployed onto Capita systems. All user passwords were reset, preventing staff from accessing their systems and network.

Let’s not forget it’s always easy to see the mistakes in hindsight.

Key ICO findings

The ICO investigation found Capita failed to implement appropriate technical and organisational measures, as required under UK GDPR, to safeguard and protect the data they held. This included:

Failure to prevent privilege escalation and unauthorised lateral movement – effective privilege access management or Active Directory tiering had not been implemented.
Failure to remedy known vulnerabilities – the above vulnerabilities had been flagged up on at least three previous occasions, but had not been unaddressed.
Failure to respond appropriately to security alerts – the Security Operations Centre was found to be understaffed and in the six months before the incident was falling well below internal target response times for security alerts.
Inadequate penetration testing and risk assessment –systems processing millions of records were not always subject to routine penetration tests. Where penetration tests had taken place, the findings were siloed within business units and not addressed universally.

Key mitigating actions taken

Originally the ICO indicated a more substantial fine of £45 million. However, Capita was able to reduce this by taken mitigating actions including:

a) Significant investment to improve its information security architecture
b) Support for those affected by the breach, including a dedicated call centre and credit monitoring services
c) Active co-operation with the ICO and the National Cyber Security Centre (NCSC).

5 key takeaways

1) Implement privilege access management or Active Directory tiering

This case underscores the importance of implementing robust access controls and applying the ‘Principle of Least Privilege’ across all systems holding personal or otherwise confidential / sensitive data. Employees (and other workers) should only have the minimum access rights needed to perform their role.

This will help to prevent hackers who gain access from being able to move laterally around your systems.

In simple terms, Privileged Access Management (PAM) is a set of security strategies which control and monitor access across your IT environment. It’s aim is to prevent unauthorised access or misuse of high-level accounts, apps or services. Active Directory tiering, as the name suggests, creates administrative tiers based on the sensitivity of different assets.

2) Fix known vulnerabilities, and pronto!

This case highlights how known vulnerabilities must be prioritised. Don’t put them in the ‘too difficult tray’. Make sure you have adequate budget and resources to remedy them.

3) Implement routine penetration tests

Penetration tests at Capita had flagged high-risk issues before the attack took place. If these had been addressed? Well, I might not be writing this article.

4) Create a robust information security incident plan

Despite having an internal target of ‘one-hour’ to respond to high priority alerts, Capita took 58 hours to contain the incident. A robust incident plan isn’t a nice to have, it’s a must have. Response time sand service levels must be met. This will go a long way to help making sure any response to a significant incident is as effective and efficient as possible. Where possible practice your plan, review it and tinker with it. Be sure to make it clear which roles are responsible for what and when.

Organisations are also being advised to have paper copies of their critical incident documentation in case electronic systems can’t be accessed. Combatting the cyber threat

5) Keep raising awareness

You simply can’t do too much to alert your people to the risks of increasingly sophisticated malicious attacks. Don’t just rely on annual training, keep pressing the message home via internal communications, town halls, posters – whatever works best.

This case serves as a massive reminder there are proactive steps we can take to reduce security risks. We’ve seen how devastating attacks can be for organisations such as Capita, M&S, JLR and the Co-op. In some cases, a significant cyber-attack will completely bring a company to their knees.

The ICO has published resources to help including guidance on protecting systems from ransomware attacks. The National Cyber Security Centre (NCSC) has recently launched a new Cyber Action Toolkit specifically aimed as small businesses.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Combatting the cyber threat

October 2025

How small-to-medium sized organisations can mitigate cyber risks

“Cyber security is now a matter of business survival and national resilience”
“Hesitation is a vulnerability”
National Cyber Security Centre (NCSC)

The NCSC’s Annual Review contains stark warnings, revealing the UK is experiencing four “nationally significant” cyber-attacks every week. But big business and critical national services aren’t the only targets. Hackers increasingly have their eyes on small to medium sized organisations including smaller charities, schools, law firms and local businesses. The NCSC says 1 in 2 UK small businesses identified a cyber-attack last year.

Often small businesses or other smaller organisations don’t have the budget for specialist internal cyber/information security teams or even one dedicated specialist security role. Many rely on outsourced IT specialists to manage their systems and keep them secure.

Who’s behind the attacks?

A substantial proportion of all incidents handled by the NCSC last year were linked to Advanced Persistent Threat (APT) actors – either nation-state actors or highly capable criminal groups. The finger’s often pointed at Russia and China, but there’s also been an increase in teenage hacking gangs from English-speaking countries. This year alone seven teenagers have been arrested in the UK during investigations into major cyber-attacks.

What action to take

Cybersecurity is a challenging, occasionally intimidating, subject. Which means it’s often tricky for smaller organisations to know where to start, or what extra measures should be taken. Here, then, are a few helpful resources and tips.

Cyber Action Toolkit

This new free Government service has been launched specifically to help small organisations implement foundational controls. It’s been designed to be simple and easy to follow, even if you’re new to cyber security. Using the toolkit will give you:

 A list of personalised actions
A step-by-step approach – “starting with low-effort, high-impact actions”
The ability to build layers of protection around your business which prevent common threats such as email hacking and ransomware.

Cyber Essentials

Alongside the new toolkit, businesses are urged to implement Cyber Essentials. This helps protect your operations from the most common types of cyber-attack. Here at DPN we’re a micro business: we went through the steps to become Cyber Essentials certified. We’d encourage you to do the same, it’s worth the effort to give you peace of mind.

The certification scheme includes automatic cyber liability insurance for any UK organisation who (a) certifies their whole organisation and (b) has less than £20m annual turnover.

Physical copies of your cyber-attack plans

Following high-profile cyber incidents and the rising threat, the Government has written to the chief executives and chairs of all FTSE350 companies, stressing the importance of ensuring cyber resilience is a board-level responsibility. This includes some sound advice – organisations should have physical copies of their plans. A cyber-attack could leave you unable to access you systems, so an electronic copy of your cyber incident plan may be useless.

This is wise advise for any size of business! This should include all contingency plans, including how teams will communicate until normalcy is restored.

If anyone’s seen the TV series ‘Billions’, there’s a brilliant episode where Axe Capital’s computer systems are temporarily unavailable. The old schoolers dust off their Filofaxes and ancient Nokia dumb-phones to continue trading.

This isn’t doomsday or zombie apocalypse stuff – it’s becoming as common as burglary. Businesses need to be prepared for operating without business critical electronic systems.

Another option, is to have a ‘shrink-wrapped’ isolated, non-networked laptop, unconnected to any of your systems, on which you store critical plans.

11 more security tips

  1. Backups – make sure you have regular off-site backups of business-critical data, enabling speedier recovery from an attack. Make sure these backups can be restored quickly.
  2. Business continuity plan – make sure this is up to date (and keep a physical copy!)
  3. Multi Factor Authentication – this is a ‘must have’ wherever possible to protect personal or any other sensitive data, from your website to your CRM and crucially on financial or administrative accounts.
  4. Firewalls – deploy firewalls to protect your network from threats.
  5. VPNs – use a Virtual Private Network for employees accessing your network externally.
  6. Secure Wi-Fi – use strong encryption and a complex password for your wi-fi network. Don’t just use the default password provided.
  7. Protect against malware – use up-to-date anti-virus and anti-malware software on all business devices.
  8. Update software – promptly install security patches and updates for all devices and software, including router firmware. Where possible enable automatic updates.
  9. Access controls – make sure there are robust access controls – an extra layer of protection may be a hurdle some cyber-criminals might be unable to penetrate.
  10. Strong passwords – implement the use of strong passwords for all accounts. If you aren’t already, consider using a password manager.
  11. Grow your knowledge – some smaller organisations may have an outsourced IT provider or be doing it all in house – you need to know enough to ask the right questions – assign at least one person to be the internal ‘specialist’.

It’s worth checking out the ICO ransomware and compliance guidance which provides information on how to best protect systems.

As the NCSC says ‘hesitation is a vulnerability’ – don’t put this off. Don’t get bogged down in meetings deciding on the best course of action. Make a start today. Now.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Rising cyber threats but data breaches aren’t always obvious

May 2025

The UK Government and National Cyber Security Centre have issued warnings about significant and growing cyber threats, with the expectation of increased ransomware attacks, state-sponsored cyber activity and sophisticated cybercrime. Do take heed: the retail sector has already seen a number of damaging attacks.

Sometimes, it’s obvious a data breach has taken place. However, this isn’t always the case, especially when cyber criminals take steps to cover their tracks. A recent example illustrates the consequences for organisations who fail to fully appreciate the significance of a malicious attack.

The ICO has issued a £60k fine to law firm DPP, following a 2022 cyber-attack. The attack led to highly sensitive and confidential personal information being published on the dark web. The ICO investigation discovered lapses in IT security practices, leaving information vulnerable to unauthorised access. Hackers were able to exploit a user account which did not have Multi-Factor Authentication (MFA), enabling them to move laterally across the firm’s systems.

Let’s be clear; MFA is now a must have on all relevant data systems.

Announcing the fine, the ICO said; “DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.”

A personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ That’s a broad scope.

The ICO enforcement notice accepts actions taken by the attackers made DPP’s response to the incident difficult. Unfortunately, DPP’s initial assessment indicated no personal data had been exfiltrated and didn’t consider loss of access to personal data to be a breach – therefore the firm didn’t report it.

You can check out the full enforcement notice, but bear in mind it’s reported DPP disputes some of the ICO’s conclusions and may appeal.

Any organisation suffering a cyber-attack has my sympathy. Attacks are becoming more frequent, sophisticated and harder to track. They can severely disrupt day-to-day operations. Ascertaining the cause and consequences of an attack can be difficult. Indeed, in some cases the consequences might never be clearly established. And when it becomes public knowledge the organisation needs to work decisively, not just to get operations back up and running and mitigate any harms to those affected, but also manage PR.

As I write, we’re witnessing M&S battle a significant ransomware attack, which has left store shelves empty. Cyber criminals have also reportedly told the BBC their attack on the Co-op is more serious than the company had previously admitted.

Organisations are legally required to report personal data breaches to the ICO (or another relevant Data Protection Authority) within 72-hours of becoming aware, unless there is unlikely to be a risk to individuals. When it comes to ransomware attacks, it may be best to assume that (more likely than not) personal information is affected. The ICO states in a research paper; ‘If you become a victim of ransomware, you should assume the information has been exfiltrated (extracted).’

In other words, it would be wise to submit an initial data breach report. It’s understood you won’t know all the facts immediately and you may need to bring in digital forensics expertise. In this situation, you can submit an initial report and update the Regulator when more facts become known. The risk can subsequently be upgraded or downgraded as you continue your investigations. We’ve written more about how to assess the risks posed by a data breach here.

It’s important, even for small-to-medium sized businesses, to have sufficient knowledge about what constitutes a personal data breach, and the threats we all face. Here’s a refresher of some common ways a personal data breach can occur.

Cyber security incidents

We often hear about ransomware attacks where hackers gain unauthorised access to databases, exfiltrating or altering personal information, and making a demand for payment. There are also other forms of malicious attack, such as;

Brute force – this is where hackers use algorithms to ‘guess’ username and password credentials, testing multiple combinations to try to gain access to user accounts. It’s understood this is how hackers initially got into DPP Law’s systems. Clearly, these attacks are more successful when passwords are easy to guess and when MFA is not in place.

■ Denial of Service (DOS) – this works by overloading a computer network or website and can result in a degrading of performance, or render the system completely inaccessible. DoS attacks may result in full or partial loss of access (availability) to personal data records. And as we said above, that’s classed as a data breach.

■ Supply chain attacks – these attacks target vulnerabilities in third-party services your organisation is using. In 2023 the BBC, British Airways and Boots were among many organisations impacted by the well-publicised MOVEit supply chain breach. More recently the ICO issued a £3 million fine to an IT software company which provided services to many UK organisations including the NHS.

Phishing – this is when criminals use scam emails to trick people into clicking on a malicious link. Phishing attacks can trick people into sharing sensitive information, such as payment card details or login credentials. As well as email, phishing can be spread via text messages or over the phone.

I’d urge you to read the ICO’s Learning from the Mistakes; which provides detailed information on the types of cyber-attacks organisations can suffer and ways to mitigate the risk.

Loss or theft of devices or hard copy documents

This is pretty self-explanatory; a smartphone, laptop or other device containing personal data is lost or stolen. When devices are not encrypted this can lead to the exposure of potentially sensitive personal information. Alternatively, a data breach can occur when physical documents are lost or stolen.

Disclosure of personal information

This type of incident can occur in a number of different ways, for example;

An email sent to the wrong recipient(s).

Accidentally using the CC field in emails for multiple recipients, thereby revealing their email address to all recipients. In some cases this can just be embarrassing, but in others like the Central YMCA breach much more serious.

Information is posted to the wrong person, such as a hospital sending medical records by post to wrong recipient.

Publishing confidential information on a public website.

Sharing personal data with unauthorised third parties.

Unauthorised Disclosure

This type of incident may occur due to a malicious attack such as ransomware, or it may be an insider breach, as illustrated by these cases;

In 2023 two former Tesla employees leaked confidential and personal information relating to employees and customers.

Back in 2014 a Morrison’s employee leaked his colleagues’ payroll details in what was seen as an act of revenge after being given a verbal warning. A case which resulted in years of legal wrangling over whether Morrison’s was liable for the actions of a rogue employee.

This type of incident also includes ‘employee snooping.’ For example, a member of staff with access to a customer database browses the personal data of others without a legitimate business purpose. Or a police officer or council official looks up and discloses information without authority.

Improper disposal of records

Insecure disposal of electronic or paper records might lead to a data breach. For example, if a company disposes of old paper files containing customer details without shredding them, and a third party finds them.

The above is by no means an exhaustive list, but provides those less experienced in data breaches with a steer on what risks to be aware of.

Not all security incidents will be personal data breaches; they could involve commercially sensitive information, but no personal data. While these don’t need to be reported if they meet a certain threshold, they still have the potential to cause considerable fallout.

Privacy violations

In other circumstances there may be a violation of data protection law, which is not a data breach. As an example, I’ve been asked before whether it’s necessary to report an email marketing campaign accidentally sent to customers who’ve unsubscribed as a breach. While a clear violation of the right to object to direct marketing, this doesn’t represent a breach of security: there’s been no destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The individuals’ personal data remains secure. Efforts therefore need to focus on trying to minimise the risk of complaints escalating, and making sure this never happens again.

To conclude, the DPP Law case is instructive; it’s not a big company, employing less than 250 people, but handles highly sensitive information relating to their clients. The attack suffered sends a clear message; any business can fall victim to cyber-attacks and personal data breaches. The more sensitive the data your organisation handles, the more damaging a breach could be. Not only must cyber security be treated as a priority, but so are robust data breach procedures to guide your team through any potential attack.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO fines software company £3millon after cyber-attack

First UK processor fine is a stark reminder of supply chain risks

The Information Commissioner’s Office has fined Advanced Software Group Ltd (Advanced) £3.07 million following a cyber-attack in 2022 which put the personal information of nearly 80,000 people at risk. This marks the first fine issued under UK GDPR to a processor.

Advanced, which provides IT and software services to organisations including the NHS, was found to have failed to implement appropriate technical and organisational measures to protect its systems.

In the ransomware attack, hackers managed to access certain systems of Advanced’s health and care subsidiary. This was done via a customer account, which notably did not have Multi Factor Authentication (MFA). The attack caused massive disruption to critical NHS services and healthcare staff were left unable to access patient records. Advanced was found to have insufficient measures in place, including;

Gaps in deployment of Multi Factor Authentication
A lack of mature vulnerability management scanning mechanisms
Inadequate security patch management

A provisional fine of £6.09million was reduced to £3.07million after Advanced’s proactive engagement with the National Cyber Security Centre, the National Crime Agency and the NHS. Advanced has agreed to pay the fine without appeal. You can read the ICO enforcement notice here.

Key learnings from this case

This action serves as a timely reminder for both controller organisations and service providers to make sure robust measures are in place to protect personal data and ensure systems are secure throughout the supply chain.

Supplier due diligence

While this fine has been imposed on a processor, organisations which engage other parties to provide services have a duty to make sure they work with suppliers who can demonstrate robust standards in data protection and information security.

In our experience, controllers need to make sure they’re asking the right questions before they onboard any new supplier who’d be processing personal data on their behalf – whether this be cloud computing providers, SasS solutions or other technology providers. To give a simple illustration;

Do they have a DPO or another individual in the business who oversees data protection compliance?
Do they have an Information Security Officer, or other related role?
Can they provide evidence of data protection and info sec policies and procedures?
Have they experienced a data breach before?
What information security measures do they have in place?
Are security measures regularly test, and how?

Suppliers for their part need to be prepared to meet client’s due diligence requests, including being able to provide detailed information of data location(s) and security measures and controls in place to protect client data.

We’d stress a proportionate risk-based approach should be taken to this, the more sensitive the data the more robust the checks should be.

Seven quick information security tips

1. Restrict access to your data and services and use Multi Factor Authentication where possible
2. Choose secure settings for your network, devices and software
3. Protect yourself from viruses and other malware
4. Keep your devices and software up to date
5. Keep logs and monitor them
6. Restrict or prevent use of USB / memory drives
7. Back up your data

The ICO has published ransomware and compliance guidance which provides information on how to best protect systems.

Controller-processor contracts

Once satisfied with a prospective supplier’s approach to data protection and information security it’s then vital to make sure contractual terms cover core requirements under UK GDPR. Often covered in a Data Processing Agreement/Addendum, these shouldn’t be overlooked. We’ve written about supplier agreements here.

It’s worth noting liability clauses in such agreements are facing increasing scrutiny, reflecting the increased cost of non-compliance and the fall-out from data breaches. Irina Beschieriu, Deals Counsel for Atos IT Solutions has written an interesting article on this for IAPP and says; “General limitations of liability clauses are no longer considered sufficient to address the specific risks associated with data privacy. Instead, we have seen the rise of dedicated provisions meticulously crafted to address data privacy liabilities specifically. Negotiations surrounding these provisions are now more intense, more detailed, and carry higher stakes than ever before.” See: The growing burden of data privacy liability in tech contracts

While ICO fines are not commonplace, we’d urge both controllers and processors to take heed of this action. In announcing this enforcement action Information Commissioner John Edwards says; “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.” 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Why the Tory app data breach could happen to anyone

June 2024

Shakespeare wrote (I hope I remembered this correctly from ‘A’ level English), ‘When sorrows come, they come not single spies but in battalions.’ He could’ve been writing about the UK Conservative Party which, let’s be honest, hasn’t been having a great time recently.

The Telegraph is reporting the party suffered it’s second data breach in a month. An error with an app led to the personal information of leading Conservative politicians – some in high government office – being available to all app users.

Launched in April, the ‘Share2Win’ app was designed as a quick and easy way for activists to share party content online. However, a design fault meant users could sign up to the app using just an email address. Then, in just a few clicks, they were able to access the names, postcodes and telephone numbers of all other registrants.

This follows another recent Tory Party email blunder in May, where all recipients could see each other’s details. Email data breaches.

In the heat of a General Election, some might put these errors down to ‘yet more Tory incompetence’. I’d say, to quote another famous piece of writing, ‘He that is without sin among you, let him first cast a stone’! There are plenty of examples where other organisations have failed to take appropriate steps to make sure privacy and security are baked into their app’s architecture. And this lack of oversight extends beyond apps to webforms, online portals and more. It’s a depressingly common, and easily avoided.

In April, a Housing Associate was reprimanded by the ICO after launching an online customer portal which allowed users to access documents (revealing personal data) they shouldn’t have been able to see. These related to, of all things, anti social behaviour. In March the ICO issued a reprimand to the London Mayor’s Office after users of a webform could in click on a button and see every other query submitted. And the list goes on. This isn’t a party political issue. It’s a lack of due process and carelessness issue.

It’s easy to see how it happens, especially (such as in a snap election) when there’s a genuine sense of urgency. Some bright spark has a great idea, senior management love it, and demand it’s implemented pronto! Make it happen! Be agile! Be disruptive! (etc).

But there’s a sound reason why the concept of data proteciton by design and by default is embedded into data protection legislation, and it’s really not that difficult to understand. As the name suggests, data protection by design means baking data protection into business practices from the outset; considering the core data protection principles such as data minimisation and purpose limitation as well as integrity & confidentiality. Crucially, it means not taking short-cuts when it comes to security measures.

GDPR may have it’s critics, but this element is just common sense. Something most people would get onboard with. A clear and approved procedure for new systems, services and products which covers data protection and security is not a ‘nice to have’ – it’s a ‘must have’. This can go a long way to protect individuals and mitigate the risk of unwelcome headlines further down the line, when an avoidable breach puts your customers’, clients’ or employees’ data at risk.

Should we conduct a DPIA?

A clear procedure can also alert those involved to when a Data Protection Impact Assessment is required. A DPIA is mandatory is certain circumstances where activities are higher risk, but even when not strictly required it’s a handy tool for picking up on any data protection risks and agreeing measures to mitigate them from Day One of your project. Many organisations would also want to make sure there’s oversight by their Information Security or IT team, in the form of an Information Security Assessment for any new applications.

Developers, the IT team and anyone else involved need to be armed with the information they need to make sound decisions. Data protection and information security teams need to work together to develop apps (or other new developments) which aren’t going to become a leaky bucket. Building this in from the start actually saves time too.

In all of this, don’t forget your suppliers. If you want to outsource the development of an app to a third-party supplier, you need to check their credentials and make sure you have necessary controller-to-processor contractual arrangements and assessment procedures in place – especially if once the app goes live, the developer’s team still has access to the personal data it collects. Are your contractors subbing work to other third party subcontractors? Do they work overseas? Will these subcontractors have access to personal data?

The good news? There’s good practice out there. I remember a data protection review DPN conducted a few years back. One of the areas we looked at was an app our client developed for students to use. It was a pleasure to see how the app had been built with data protection and security at its heart. We couldn’t fault with the team who designed it – and as such the client didn’t compromise their students, face litigation, look foolish or be summoned to see the Information Commissioner!

In conclusion? Yes, be fast. Innovate! Just remember to build your data protection strategy into the project from Day One.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Sharing Checklist

June 2024

Controller to Controller Data Sharing

Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles.

Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off.

Quick Data Sharing Checklist

Here’s a quick list of questions to get you started on how to share personal data compliantly.

(The focus here is on sharing data with other controllers, i.e. other organisations who will use personal data for there own purposes. There are separate considerations when sharing data with processors, such as suppliers and service providers).  Controller or processor, what are we?

1. Is it necessary?

It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised.

2. Do we need to conduct a risk assessment?

Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide.

3. Do people know their data is being shared?

Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way? Is it covered in your Privacy Notice?

In some situations it may not be possible to be transparent, in which case a robust and defensible justification is needed.

4. Is it lawful?

To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases.

5. Can we reduce the amount of data being shared?

Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice.

6. Is it secure?

Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access?

7. Can people still exercise their privacy rights?

Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them.

8. How long with the personal data be kept for?

Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time.

9. Is the data being shared with an organisation overseas?

If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules.

10. Do we need a data sharing agreement?

UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance.

Other data sharing considerations 

Are we planning to share children’s data?

Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA!

Is the other organisation using data for a ‘compatible purpose’?

Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes.

Is data being shared as part of a merger or acquisition?

If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks.

Is it an emergency situation?

We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate.

The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

  • This field is for validation purposes and should be left unchanged.