Rising cyber threats but data breaches aren’t always obvious

May 2025

The UK Government and National Cyber Security Centre have issued warnings about significant and growing cyber threats, with the expectation of increased ransomware attacks, state-sponsored cyber activity and sophisticated cybercrime. Do take heed: the retail sector has already seen a number of damaging attacks.

Sometimes, it’s obvious a data breach has taken place. However, this isn’t always the case, especially when cyber criminals take steps to cover their tracks. A recent example illustrates the consequences for organisations who fail to fully appreciate the significance of a malicious attack.

The ICO has issued a £60k fine to law firm DPP, following a 2022 cyber-attack. The attack led to highly sensitive and confidential personal information being published on the dark web. The ICO investigation discovered lapses in IT security practices, leaving information vulnerable to unauthorised access. Hackers were able to exploit a user account which did not have Multi-Factor Authentication (MFA), enabling them to move laterally across the firm’s systems.

Let’s be clear; MFA is now a must have on all relevant data systems.

Announcing the fine, the ICO said; “DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.”

A personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ That’s a broad scope.

The ICO enforcement notice accepts actions taken by the attackers made DPP’s response to the incident difficult. Unfortunately, DPP’s initial assessment indicated no personal data had been exfiltrated and didn’t consider loss of access to personal data to be a breach – therefore the firm didn’t report it.

You can check out the full enforcement notice, but bear in mind it’s reported DPP disputes some of the ICO’s conclusions and may appeal.

Any organisation suffering a cyber-attack has my sympathy. Attacks are becoming more frequent, sophisticated and harder to track. They can severely disrupt day-to-day operations. Ascertaining the cause and consequences of an attack can be difficult. Indeed, in some cases the consequences might never be clearly established. And when it becomes public knowledge the organisation needs to work decisively, not just to get operations back up and running and mitigate any harms to those affected, but also manage PR.

As I write, we’re witnessing M&S battle a significant ransomware attack, which has left store shelves empty. Cyber criminals have also reportedly told the BBC their attack on the Co-op is more serious than the company had previously admitted.

Organisations are legally required to report personal data breaches to the ICO (or another relevant Data Protection Authority) within 72-hours of becoming aware, unless there is unlikely to be a risk to individuals. When it comes to ransomware attacks, it may be best to assume that (more likely than not) personal information is affected. The ICO states in a research paper; ‘If you become a victim of ransomware, you should assume the information has been exfiltrated (extracted).’

In other words, it would be wise to submit an initial data breach report. It’s understood you won’t know all the facts immediately and you may need to bring in digital forensics expertise. In this situation, you can submit an initial report and update the Regulator when more facts become known. The risk can subsequently be upgraded or downgraded as you continue your investigations. We’ve written more about how to assess the risks posed by a data breach here.

It’s important, even for small-to-medium sized businesses, to have sufficient knowledge about what constitutes a personal data breach, and the threats we all face. Here’s a refresher of some common ways a personal data breach can occur.

Cyber security incidents

We often hear about ransomware attacks where hackers gain unauthorised access to databases, exfiltrating or altering personal information, and making a demand for payment. There are also other forms of malicious attack, such as;

Brute force – this is where hackers use algorithms to ‘guess’ username and password credentials, testing multiple combinations to try to gain access to user accounts. It’s understood this is how hackers initially got into DPP Law’s systems. Clearly, these attacks are more successful when passwords are easy to guess and when MFA is not in place.

■ Denial of Service (DOS) – this works by overloading a computer network or website and can result in a degrading of performance, or render the system completely inaccessible. DoS attacks may result in full or partial loss of access (availability) to personal data records. And as we said above, that’s classed as a data breach.

■ Supply chain attacks – these attacks target vulnerabilities in third-party services your organisation is using. In 2023 the BBC, British Airways and Boots were among many organisations impacted by the well-publicised MOVEit supply chain breach. More recently the ICO issued a £3 million fine to an IT software company which provided services to many UK organisations including the NHS.

Phishing – this is when criminals use scam emails to trick people into clicking on a malicious link. Phishing attacks can trick people into sharing sensitive information, such as payment card details or login credentials. As well as email, phishing can be spread via text messages or over the phone.

I’d urge you to read the ICO’s Learning from the Mistakes; which provides detailed information on the types of cyber-attacks organisations can suffer and ways to mitigate the risk.

Loss or theft of devices or hard copy documents

This is pretty self-explanatory; a smartphone, laptop or other device containing personal data is lost or stolen. When devices are not encrypted this can lead to the exposure of potentially sensitive personal information. Alternatively, a data breach can occur when physical documents are lost or stolen.

Disclosure of personal information

This type of incident can occur in a number of different ways, for example;

An email sent to the wrong recipient(s).

Accidentally using the CC field in emails for multiple recipients, thereby revealing their email address to all recipients. In some cases this can just be embarrassing, but in others like the Central YMCA breach much more serious.

Information is posted to the wrong person, such as a hospital sending medical records by post to wrong recipient.

Publishing confidential information on a public website.

Sharing personal data with unauthorised third parties.

Unauthorised Disclosure

This type of incident may occur due to a malicious attack such as ransomware, or it may be an insider breach, as illustrated by these cases;

In 2023 two former Tesla employees leaked confidential and personal information relating to employees and customers.

Back in 2014 a Morrison’s employee leaked his colleagues’ payroll details in what was seen as an act of revenge after being given a verbal warning. A case which resulted in years of legal wrangling over whether Morrison’s was liable for the actions of a rogue employee.

This type of incident also includes ‘employee snooping.’ For example, a member of staff with access to a customer database browses the personal data of others without a legitimate business purpose. Or a police officer or council official looks up and discloses information without authority.

Improper disposal of records

Insecure disposal of electronic or paper records might lead to a data breach. For example, if a company disposes of old paper files containing customer details without shredding them, and a third party finds them.

The above is by no means an exhaustive list, but provides those less experienced in data breaches with a steer on what risks to be aware of.

Not all security incidents will be personal data breaches; they could involve commercially sensitive information, but no personal data. While these don’t need to be reported if they meet a certain threshold, they still have the potential to cause considerable fallout.

Privacy violations

In other circumstances there may be a violation of data protection law, which is not a data breach. As an example, I’ve been asked before whether it’s necessary to report an email marketing campaign accidentally sent to customers who’ve unsubscribed as a breach. While a clear violation of the right to object to direct marketing, this doesn’t represent a breach of security: there’s been no destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The individuals’ personal data remains secure. Efforts therefore need to focus on trying to minimise the risk of complaints escalating, and making sure this never happens again.

To conclude, the DPP Law case is instructive; it’s not a big company, employing less than 250 people, but handles highly sensitive information relating to their clients. The attack suffered sends a clear message; any business can fall victim to cyber-attacks and personal data breaches. The more sensitive the data your organisation handles, the more damaging a breach could be. Not only must cyber security be treated as a priority, but so are robust data breach procedures to guide your team through any potential attack.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO fines software company £3millon after cyber-attack

First UK processor fine is a stark reminder of supply chain risks

The Information Commissioner’s Office has fined Advanced Software Group Ltd (Advanced) £3.07 million following a cyber-attack in 2022 which put the personal information of nearly 80,000 people at risk. This marks the first fine issued under UK GDPR to a processor.

Advanced, which provides IT and software services to organisations including the NHS, was found to have failed to implement appropriate technical and organisational measures to protect its systems.

In the ransomware attack, hackers managed to access certain systems of Advanced’s health and care subsidiary. This was done via a customer account, which notably did not have Multi Factor Authentication (MFA). The attack caused massive disruption to critical NHS services and healthcare staff were left unable to access patient records. Advanced was found to have insufficient measures in place, including;

Gaps in deployment of Multi Factor Authentication
A lack of mature vulnerability management scanning mechanisms
Inadequate security patch management

A provisional fine of £6.09million was reduced to £3.07million after Advanced’s proactive engagement with the National Cyber Security Centre, the National Crime Agency and the NHS. Advanced has agreed to pay the fine without appeal. You can read the ICO enforcement notice here.

Key learnings from this case

This action serves as a timely reminder for both controller organisations and service providers to make sure robust measures are in place to protect personal data and ensure systems are secure throughout the supply chain.

Supplier due diligence

While this fine has been imposed on a processor, organisations which engage other parties to provide services have a duty to make sure they work with suppliers who can demonstrate robust standards in data protection and information security.

In our experience, controllers need to make sure they’re asking the right questions before they onboard any new supplier who’d be processing personal data on their behalf – whether this be cloud computing providers, SasS solutions or other technology providers. To give a simple illustration;

Do they have a DPO or another individual in the business who oversees data protection compliance?
Do they have an Information Security Officer, or other related role?
Can they provide evidence of data protection and info sec policies and procedures?
Have they experienced a data breach before?
What information security measures do they have in place?
Are security measures regularly test, and how?

Suppliers for their part need to be prepared to meet client’s due diligence requests, including being able to provide detailed information of data location(s) and security measures and controls in place to protect client data.

We’d stress a proportionate risk-based approach should be taken to this, the more sensitive the data the more robust the checks should be.

Seven quick information security tips

1. Restrict access to your data and services and use Multi Factor Authentication where possible
2. Choose secure settings for your network, devices and software
3. Protect yourself from viruses and other malware
4. Keep your devices and software up to date
5. Keep logs and monitor them
6. Restrict or prevent use of USB / memory drives
7. Back up your data

The ICO has published ransomware and compliance guidance which provides information on how to best protect systems.

Controller-processor contracts

Once satisfied with a prospective supplier’s approach to data protection and information security it’s then vital to make sure contractual terms cover core requirements under UK GDPR. Often covered in a Data Processing Agreement/Addendum, these shouldn’t be overlooked. We’ve written about supplier agreements here.

It’s worth noting liability clauses in such agreements are facing increasing scrutiny, reflecting the increased cost of non-compliance and the fall-out from data breaches. Irina Beschieriu, Deals Counsel for Atos IT Solutions has written an interesting article on this for IAPP and says; “General limitations of liability clauses are no longer considered sufficient to address the specific risks associated with data privacy. Instead, we have seen the rise of dedicated provisions meticulously crafted to address data privacy liabilities specifically. Negotiations surrounding these provisions are now more intense, more detailed, and carry higher stakes than ever before.” See: The growing burden of data privacy liability in tech contracts

While ICO fines are not commonplace, we’d urge both controllers and processors to take heed of this action. In announcing this enforcement action Information Commissioner John Edwards says; “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.” 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Why the Tory app data breach could happen to anyone

June 2024

Shakespeare wrote (I hope I remembered this correctly from ‘A’ level English), ‘When sorrows come, they come not single spies but in battalions.’ He could’ve been writing about the UK Conservative Party which, let’s be honest, hasn’t been having a great time recently.

The Telegraph is reporting the party suffered it’s second data breach in a month. An error with an app led to the personal information of leading Conservative politicians – some in high government office – being available to all app users.

Launched in April, the ‘Share2Win’ app was designed as a quick and easy way for activists to share party content online. However, a design fault meant users could sign up to the app using just an email address. Then, in just a few clicks, they were able to access the names, postcodes and telephone numbers of all other registrants.

This follows another recent Tory Party email blunder in May, where all recipients could see each other’s details. Email data breaches.

In the heat of a General Election, some might put these errors down to ‘yet more Tory incompetence’. I’d say, to quote another famous piece of writing, ‘He that is without sin among you, let him first cast a stone’! There are plenty of examples where other organisations have failed to take appropriate steps to make sure privacy and security are baked into their app’s architecture. And this lack of oversight extends beyond apps to webforms, online portals and more. It’s a depressingly common, and easily avoided.

In April, a Housing Associate was reprimanded by the ICO after launching an online customer portal which allowed users to access documents (revealing personal data) they shouldn’t have been able to see. These related to, of all things, anti social behaviour. In March the ICO issued a reprimand to the London Mayor’s Office after users of a webform could in click on a button and see every other query submitted. And the list goes on. This isn’t a party political issue. It’s a lack of due process and carelessness issue.

It’s easy to see how it happens, especially (such as in a snap election) when there’s a genuine sense of urgency. Some bright spark has a great idea, senior management love it, and demand it’s implemented pronto! Make it happen! Be agile! Be disruptive! (etc).

But there’s a sound reason why the concept of data proteciton by design and by default is embedded into data protection legislation, and it’s really not that difficult to understand. As the name suggests, data protection by design means baking data protection into business practices from the outset; considering the core data protection principles such as data minimisation and purpose limitation as well as integrity & confidentiality. Crucially, it means not taking short-cuts when it comes to security measures.

GDPR may have it’s critics, but this element is just common sense. Something most people would get onboard with. A clear and approved procedure for new systems, services and products which covers data protection and security is not a ‘nice to have’ – it’s a ‘must have’. This can go a long way to protect individuals and mitigate the risk of unwelcome headlines further down the line, when an avoidable breach puts your customers’, clients’ or employees’ data at risk.

Should we conduct a DPIA?

A clear procedure can also alert those involved to when a Data Protection Impact Assessment is required. A DPIA is mandatory is certain circumstances where activities are higher risk, but even when not strictly required it’s a handy tool for picking up on any data protection risks and agreeing measures to mitigate them from Day One of your project. Many organisations would also want to make sure there’s oversight by their Information Security or IT team, in the form of an Information Security Assessment for any new applications.

Developers, the IT team and anyone else involved need to be armed with the information they need to make sound decisions. Data protection and information security teams need to work together to develop apps (or other new developments) which aren’t going to become a leaky bucket. Building this in from the start actually saves time too.

In all of this, don’t forget your suppliers. If you want to outsource the development of an app to a third-party supplier, you need to check their credentials and make sure you have necessary controller-to-processor contractual arrangements and assessment procedures in place – especially if once the app goes live, the developer’s team still has access to the personal data it collects. Are your contractors subbing work to other third party subcontractors? Do they work overseas? Will these subcontractors have access to personal data?

The good news? There’s good practice out there. I remember a data protection review DPN conducted a few years back. One of the areas we looked at was an app our client developed for students to use. It was a pleasure to see how the app had been built with data protection and security at its heart. We couldn’t fault with the team who designed it – and as such the client didn’t compromise their students, face litigation, look foolish or be summoned to see the Information Commissioner!

In conclusion? Yes, be fast. Innovate! Just remember to build your data protection strategy into the project from Day One.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Sharing Checklist

June 2024

Controller to Controller Data Sharing

Data protection law doesn’t stop us sharing personal data with other organisations, but does place on us a requirement to do so lawfully, transparently and in line with other key data protection principles.

Organisations often need to share personal data with other parties. This could be reciprocal, one-way, a regular activity, ad-hoc or a one off.

Quick Data Sharing Checklist

Here’s a quick list of questions to get you started on how to share personal data compliantly.

(The focus here is on sharing data with other controllers, i.e. other organisations who will use personal data for there own purposes. There are separate considerations when sharing data with processors, such as suppliers and service providers).  Controller or processor, what are we?

1. Is it necessary?

It may be possible to achieve your objective without sharing personal data at all, or perhaps the data could be anonymised.

2. Do we need to conduct a risk assessment?

Check if what you’re planning to do falls under the mandatory requirement to complete a Data Protection Impact Assessment. Depending on the nature and sensitivity of the data it might be a good idea to conduct one anyway. Quick DPIA Guide.

3. Do people know their data is being shared?

Transparency is key, so it’s important to make sure sure people know their personal details are being shared. Would they reasonably expect their personal data to be shared in this way? Is it covered in your Privacy Notice?

In some situations it may not be possible to be transparent, in which case a robust and defensible justification is needed.

4. Is it lawful?

To be lawful we need a lawful basis and we need to meet the relevant conditions of the basis we’ve chosen. For example, if we’re relying on consent is this specific, informed and an unambiguous indication of the person’s wishes. If we’re relying on legitimate interests, have we balanced our interests with those of the people whose data we’re sharing? Quick guide to lawful bases.

5. Can we reduce the amount of data being shared?

Check what data the other organisation actually needs, you may not need to share a whole dataset, a sub-set may suffice.

6. Is it secure?

Agree appropriate security measures to protect the personal data, both when it’s share and at rest. This includes security measures where the other organisation is being given access to your systems. Are controls in place to make sure only those who need access, have access?

7. Can people still exercise their privacy rights?

Both parties should be clear about their responsibilities to fulfil privacy rights, and it should be easy for people to exercise them.

8. How long with the personal data be kept for?

Consider if it’s appropriate to have specific arrangements in place for the shared data to be destroyed after a certain period of time.

9. Is the data being shared with an organisation overseas?

If the personal data is being shared with a business located outside the UK, it will be necessary to consider the international data transfer rules.

10. Do we need a data sharing agreement?

UK GDPR does not specify a legal requirement to have a agreement in place when data is shared between organisations acting as controllers. However, the UK ICO considers it ‘good practice’ as and agreement can set out what happens to the data at each stage, and agreed standards, roles and responsibilities. ICO Data Sharing Agreement guidance.

Other data sharing considerations 

Are we planning to share children’s data?

Proceed with care if you are sharing children’s data. You need to carefully assess how to protect children from the outset, and will need a compelling reason to share data relating to under 18s. This is likely to be a clear case of conduct a DPIA!

Is the other organisation using data for a ‘compatible purpose’?

Consider the original purpose the data was collected for, and whether the organisation you’re sharing it with will use it for a similar purpose. It’s worth noting the UK Department of Education came a cropper for sharing data for incompatible purposes.

Is data being shared as part of a merger or acquisition?

If data is being shared as part of a merger or acquisition, the people the data relates to should be made aware this is happening. You’d want to be clear the data should be used for a similar purpose. Robust due diligence is a must, and perhaps a DPIA to assess and mitigate any risks.

Is it an emergency situation?

We’ve all heard the tales about people being scared they’ll be breaching data protection rules if they share personal data with paramedics, doctors or others in emergency situations. The ICO is clear on this point: in an emergency you should go ahead and share data as is necessary and proportionate.

The ICO has a Data Sharing Code of Practice, full useful information about how the Regulator would expect organisations to approach this.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Access controls: Protecting your systems and data

May 2024

Is your data properly protected?

Do existing staff or former employees have access to personal data they shouldn’t have access to?  Keeping your business’ IT estate and personal data safe and secure is vital.  One of the key ways to achieve this is by having robust access controls.

Failure to make sure you have appropriate measures and controls to protect your network and the personal data on it could lead to a data breach. This could have very serious consequences for your customers and staff, and the business’ reputation and finances.

How things can go wrong

  • Recently a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time.
  • In 2023 a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family.
  • In 2022 a former staff advisor for an NHS Foundation was recently found guilty of accessing patient records without a valid reason.

Anecdotally, we know of cases of former employees being found to be using their previous employer’s personal data once they have moved onto a new role.

The ability to access and either deliberately or accidentally misuse data is a common risk for all organisations. Add to this the risk of more employees and contractors working remotely, and it’s clear we need to take control of who has access to what.

High-level check list

1. Apply the ‘Principle of Least Privilege’

There’s a useful security principle, known as ‘the principle of least privilege’ (PoLP).  This sets a rule that employees should have only the minimum access rights needed to perform their job functions.

Think of it in the same way as the ‘minimisation’ principle within GDPR.  You grant the minimum access necessary for each user to meet the specific set of tasks their role requires, with the specific datasets they need.

By adopting this principle, you can prevent the risk of employees gaining more access rights over time.  You’ll need to periodically check to make sure they still need the existing access rights they have. For example, when someone changes role, their access needs may also change.

If your access controls haven’t been reviewed for a long time, adopting PoLP can give you great start point to tighten up security.

2. Identity and Access Management

IAM is a broad term for the policy, processes and technology you use to administer employee access to your IT resources.

IAM technology can join it all up – a single place where your business users can be authenticated when they sign into the network and be granted specific access to the selected IT resources, datasets and functions they need for their role.  One IAM example you may have heard of is Microsoft’s Active Directory.

3. Role-based access

Your business might have several departments and various levels of responsibility within them.  Most employees won’t need access to all areas.

Many businesses adopt a framework in which employees can be identified by their job role and level, so they can be given access rights which meets the needs of the type of job they do.

4. Security layers

Striking the right balance between usability and security is not easy.   It’s important to consider the sensitivity of different data and the risks if that data was breached.  You can take a proportionate approach to setting your security controls.

For example personal data, financial data, special category or other sensitive personal data, commercially sensitive data (and so on) will need a greater level of security than most other data.

Technologies can help you apply proportionate levels of security.  Implementing security technologies at the appropriate levels can give greater protection to certain systems & data which demand a high level of security (i.e. strictly-controlled access), while allowing non-confidential or non-sensitive information to be accessed quickly by a wider audience.

5. Using biometrics

How do you access your laptop or phone? Many of us use our fingerprint or facial recognition which give a high level of security, using our own biometrics data.  But some say, for all their convenience benefits, they are not as secure as a complex password!

But then, how many of us really use complex passwords? Perhaps you use an app to generate and store complex passwords for you.  Sadly lots of people use words, names or memorable dates within their passwords. Security is only going to be as good as your weakest link.

6. Multi-factor authentication (MFA)

Multi-factor authentication has become a business standard in many situations, to prevent fraudulent use of stolen passwords or PINs.

But do make sure it’s set up effectively. I’ve seen some examples where MFA has to be activated by the user themselves. So if they fail to activate it, there’s little point having it.  I’ve heard about data breaches happening following ineffective implementation of MFA, so do be vigilant.

There are an array of measures which can be adopted. This is just a taster, which I hope you found useful – stay safe and secure!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

International Data Transfers Guide

March 2024

A top-level overview of international data transfers

There are restrictions under UK and EU data protection law when transferring personal data to organisations in other countries, and between the UK and EU.

The rules regarding restricted transfers can be an enigma to the uninitiated and their complexity has been magnified by Brexit and by an infamous 2020 European Court ruling known as ‘Schrems II’.

This guide aims to give an overview of what international data transfers are and the key data protection considerations. It does not cover all the intricacies, nor data transfers for immigration and law enforcement purposes. Also please be aware there may be specific restrictions in place under laws in other territories around the world.

As a general rule, controllers based in the UK or EU are responsible for making sure suitable measures are in place for restricted transfers to other controllers, or to processors. A processor will be responsible when they initiate the transfer, usually to a sub-processor.

Some might be thinking; what would be the impact if we just put all of this into the ‘too difficult’ tray? It’s certainly an area which many feel has become unduly complicated and an onerous paperwork exercise.

However, getting the detail right will pay off should things go wrong. For example, if a supplier you use based overseas suffers a data breach, the consequences may be more significant if you have not covered off legal requirements surrounding restricted transfers. It’s an area likely to come under regulatory scrutiny, in the event of a breach or should a complaint be raised.

What is an international data transfer?

An international data transfer refers to the act of sending or transmitting personal data from one country to another. It also covers when an organisation makes personal data available to another entity (‘third party’) located in another country; in other words, the personal data can be accessed from overseas.

There are specific rules about the transfer of personal data from a UK sender to a receiver located outside the UK (under UK GDPR) and similar transfers from EEA senders (under EU GDPR); these are known as restricted transfers. A receiver could be separate company, public body, sole trader, partnership or other organisation.

EU GDPR

Personal data can flow freely within the European Economic Area (EEA). A restricted transfer takes place when personal data is sent or accessible outside the EEA. Where such a transfer takes place, specific safeguards should be in place to make the transfer lawful under EU GDPR.

UK GDPR

A restricted transfer takes place when personal data is transmitted, sent or accessed outside the UK, and safeguards should be in place to ensure the transfer is lawful.

The reason for these rules is to protect people’s legal rights, as there’s a risk people could lose control over their personal information when it’s transferred to another country.

Examples of restricted transfers would be:

  • Sending paper or electronic documents, or any kind of record containing personal data, by email or post to another country
  • Giving a supplier based in another country access to personal data
  • Giving access to UK/EU employee data to another entity in the same corporate group, based in another country.

There are some notable exceptions:

  • Our own employees: A restricted transfer does not take place when sending personal data to someone employed by your company, or them accessing personal data from overseas. However, it does cover the sending, transmitting or making personal data available to another entity within the same corporate group, where entities operate in different countries.
  • Data in transit: Where personal data is simply routed via several other countries, but there is no intention that this data will be accessed or manipulated while it is being routed via other countries, this won’t represent a restricted transfer. ICO guidance says; Transfer does not mean the same as transit. If personal data is just electronically routed through a non-UK country, but the transfer is actually from one UK organisation to another, then it is not a restricted transfer.

What are the safeguards for restricted transfers?

A. Adequacy

Adequacy is when the receiving country has been judged to have a similar level of data protection standards in place to the sender country. An Adequacy Decision allows for the free flow of personal data without any additional safeguards or measures.

Transfers from the EEA
The European Commission has awarded adequacy decisions to a number of countries including the UK, Japan, New Zealand, Uruguay and Switzerland. A full list can be found on the European Commission website – Adequacy Decisions.

Therefore personal data can flow freely between EEA countries and an ‘adequate’ country. These decisions are kept under review. There are some concerns UK Government plans to reform data protection law could potentially jeopardise the UK’s current EC adequacy decision.

EU-US Data Privacy Framework: The EC adopted this framework for transfers from the EU to US in July 2023.  It allows for the free flow of personal data to organisations in the US which have certified and meet the principles of the DPF. A list of self-certified organisations can be found on the U.S Department of Commerce DPF website.

Transfers from the UK
There are provisions which permit the transfer of personal data between the UK and the EEA, and to any countries which are covered by a European Commission ‘adequacy decision’ (as of January 2021). Therefore personal data can flow freely between UK and EEA and any of the countries awarded adequacy by the EC.

The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems suitable for transfers from the UK. More information about UK adequacy decisions can be found here.

UK-US Data Bridge: The UK-US ‘Data Bridge’ was finalised on 21st September 2023 and goes live 12th October 2023. Like the EU-US Data Privacy Framework, organisations based in the US must self-certify to the DPF but they must also sign up to the ‘UK extension’. Read more about the Data Bridge

B. EU Standard Contractual Clauses

In the absence of an EC adequacy decision, Standard Contractual Clauses (SCCs) can be used which the sender and the receiver of the personal data both sign up to. These comprise a number of specific contractual obligations designed to provide legal protection for personal data when transferred to ‘third countries’.

SCCs can be used for restricted transfers from the EEA to other territories (including those not covered by adequacy). The European Commission published new SCCs in 2021 which should be used for new and replacement contracts. The SCCs cover specific clauses which can be used for different types of transfer:

  • controller-to-controller
  • controller-to-processor
  • processor-to-processor
  • processor-to-controller

There’s an option for more than two parties to join and use the clauses through a docking clause. More information can be found on the European Commission website – Standard Contractual Clauses

Two points worth noting:

  • The deadline to update contracts which use the old SCCs has passed – 27th December 2022.
  • Senders in the UK cannot solely rely on EU SCCs, see the point below about the UK Addendum.

C. UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs

Senders in the UK (post Brexit) have two possible options here as a lawful tool to comply with UK GDPR when making restricted transfers.

  • The International Data Transfer Agreement, or
  • The Addendum to the new EU SCCs

ICO guidance stresses; the new EU SCCs are not valid for restricted transfers under UK GDPR on their own, but using the Addendum allows you to rely on the new EU SCCs. In other words the UK Addendum works to ensure EU SCCs are fit for purpose in a UK context.

In practise, if the transfer is solely from the UK, the UK ITDA would be appropriate. If the transfer includes both UK and EU personal data the, EU SCCs with the UK Addendum would be appropriate, to cover the protection of the rights of EU as well as UK citizens.

It’s worth noting, contracts signed on or before 21 September 2022 can continue to use the old SCCs until 21 March 2024. Contracts signed after 21 September 2022 must use the IDTA or the Addendum to new EU SCC, in order to be effective. See ICO Guidance

The additional requirement for a risk assessment

The ‘Schrems II’ ruling in 2020, invalidated the EU-US Privacy Shield (predecessor of the Data Privacy Framework) and raised concerns about the use of EU SCCs to protect personal data. Concerns raised included the potential access to personal data by law enforcement or national security agencies in receiver countries.

As a result of this ruling there’s a requirement when using the EU SCCs or the UK IDTA to conduct a written risk assessment to determine whether personal data will be adequately protected. In the EU this is known as a Transfer Impact Assessment, and in the UK, it’s called a Transfer Risk Assessment (TRA).

The ICO has published TRA Guidance and we’ve written a TRA guide.

D. Binding Corporate Rules (BCR)

BCRs can be used as a safeguard for transfers within companies in the same group. While some global organisations have gone down this route, it can be incredibly onerous and takes a considerable amount of time to complete BCRs.

BCRs need to be approved by a Supervisory Authority (for example the ICO in the UK, or the CNIL in France).  This has been known to take years, so many groups have  chosen to use EU SCCs (with UK Addendum if necessary) or the IDTA, in preference to going down the BCR route.

E. Other safeguards

Other safeguards measures include;

  • Approved codes of conduct
  • Approved certification mechanisms
  • Legally binding and enforcement instruments between public authorities or bodies.

What are the exemptions for restricted transfers?

It may be worth considering whether an exemption may apply to your restricted transfer. These can be used in limited circumstances and include:

  • Explicit consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.
  • Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.
  • Public interests – the transfer is necessary for important reasons of public interest.
  • Legal necessity – the transfer is necessary for the establishment exercise or defence of legal claims.
  • Vital interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give their consent.

The ICO makes the point most of the exemptions include the word ‘necessary’. The Regulator says this doesn’t mean the transfer has to be absolutely essential, but that it “must be more than just useful and standard practice”. An assessment needs to be made as to whether the transfer is objectively necessary and proportionate, and can’t be reasonably achieved another way.

The regulatory guidance says exemptions, such as contractual necessity, are more likely to be proportionate for occasional transfers, a low volume of data and where there is a low risk of harm when the data is transfer.

The above is not an exhaustive list of the exemptions, further details can be found here.

There is no getting away it, international data transfers are a particularly complex and onerous area of data protection law! It pays to be familiar with the requirements and understand the potential risks.

Sometimes organisations will have little control over the terms under which they do business with others. For example, large technology providers might be unwilling to negotiate international transfer arrangements and will only proceed if you agree to their existing safeguards. A balance might need to be taken here on the necessity of entering the contract and the potential risks should restricted transfers not be adequately covered.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing how employees use their own devices for work

November 2023

How to mitigate the security risks of Bring Your Own Device (BYOD)

The switch to remote working due to the COVID pandemic, and subsequently, means even more employees now use their own devices to access work emails, systems and files. This can make practical sense for many organisations, but the use of personal devices can pose a serious security risk if appropriate measures are not in place. A risk to personal information, as well as other confidential or commercially sensitive information.

Some organisations (particularly those handling sensitive data) might take the step of banning the use of any personal devices for work purposes. But for others there are good reasons for allowing personal devices to be used. The key is making sure security risks have been considered and appropriate measures are in place to protect the organisation and those whose personal data is held.

It’s essential for any organisation which allows employees to use their own devices for work purposes, to have robust security measures in place to address security risks, along with appropriate measures to protect personal data. Furthermore, employees need to know what’s expected of them and this is where having a Bring Your Own Device (BYOD) Policy is crucial.

What are the risks, what key security measures should be in place, and what should a BYOD Policy cover?

Key BYOD risks

1. Loss or theft of devices – we’re all human, and I suspect many of us have lost a mobile before, or perhaps even left a laptop somewhere. There’s a clear risk if it’s possible for someone else to access valuable or sensitive information on the device.

2. Use of public wi-fi services – connecting to open public wi-fi when employees are out and about can leave personal devices vulnerable to hackers. There’s also a risk if home networks aren’t secure.

3. Malware and viruses – employees can view any website and download any app on their own device, raising the risk these could contain damaging malware or viruses.

4. Former employees – failing to remove access and data from devices when people leave the organisation could come back to haunt the organisation. I know of cases where this has caused a data breach.

Key steps to mitigate BYOD risks

Here are some methods to reduce or eliminate the risks. This is by no means an exhaustive list, but will hopefully give you some useful pointers.

  • Require employees to use appropriate authentications settings when accessing their devices. For example, access via a passcode or fingerprint.
  • Restrict which business applications and data employees can access via their own device.
  • Implement enhanced user authentication for business apps – multi-factor authentication (MFA). That includes access to their business email account (e.g. via Outlook) which may include personal information in the content or in attachments.
  • Consider measures to make sure personal data from business apps can’t be downloaded, stored or shared via personal devices. Don’t allow staff to share data or screenshots from any business app they use with any other app they may have on their device (e.g. social media or file sharing apps).
  • Put clear procedures in place for lost or stolen devices. For example, reporting the loss and the capability to remotely delete data from a lost or stolen device.
  • Make sure clear procedures are in place to update access controls when people leave the business. or change roles.
  • Prohibit the use of public wi-fi services, which may be insecure.
  • Provide advice on making sure your home wi-fi is secure.
  • Ask employees to update apps regularly to make sure any security vulnerabilities are ‘patched’.
  • Ask them to run antivirus / malware checks regularly.

Creating a Bring Your Own Device Policy

A BYOD Policy sets out the rules for employees when using their personal devices – be it laptops, smartphones or tablets in for work purposes. It should set out the organisations expectations and the security measures required. When employees are accessing the organisation’s information, it’s okay to insist employees comply with a BYOD Policy.

Such a policy would cover all the measures in place to mitigate the risks above, making sure employees’ responsibilities are clearly laid out. You’d also want it to include, or point to, clear onboarding, leavers and procedures for lost or stolen devices.

In addition, a BYOD Policy is also likely to cover;

  • Types of device permitted.
  • Establishment of company rights on devices (this can be a tricky area and may be worth seeking legal advice.
  • List of company systems / apps allowed to be accessed via personal devices.
  • An explanation of acceptable use and behaviours. For example, what employees are not permitted to do may include;
    – Allowing others (e.g. family members) to access work systems and apps
    – Storing or transferring copies of organisation’s information onto their own devices
    – Using private email accounts for work purposes
    – Uses which may be illegal or bring the organisation into disrepute
  • Details of the IT support available to employees.
  • Any necessary sanctions should employees fail to follow the policy.

By the way, whilst we refer to employees above, you should bear in mind you may also have contractors who access the organisation’s systems / apps via their own devices. If so, the Policy should apply to contractors too.

Recently the Information Commissioner’s Office took action against a company following a data breach. It’s worth noting one of the key failings found was the lack of a BYOD policy. We’ve written more about this here: Information Security Tips

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Seven top information security tips

November 2023

How to be vigilant against cyber attacks

The UK’s Information Commissioner’s Office (ICO) has recently issued reprimands to two companies who failed to have appropriate technical and organisational measures in place to protect personal data. Both cases provide helpful insight and serve as a reminder to others to be vigilant.

One case involved a ransomware attack on a company which provides accountancy, tax and employment solutions. In the other case an unauthorised third party gained access to and exfiltrated personal data from a recruitment company’s systems twice within a 12-month time frame.

I’m not going to get into the hot debate about whether the ICO should issued reprimands or fines. What I would say is no company wants to have to go through the painstaking and embarrassing ordeal of an ICO investigation, fine or no fine. Needless to say, the regulator took into account some mitigating factors.

Key findings

I’ve summarised and combined the key findings from both cases, just to give a broad picture of the areas where failures were identified. These are failings by either company, not by both.

  • Lack of multi-factor authentication
  • No clear Bring Your Own Device Policy
  • Inadequate ‘account lockout policy’
  • Personal data held longer than necessary
  • Significant delay in notifying those affected by the breach
  • Lack of awareness in relation to patch management and associated risks
  • Unsupported software
  • Insufficient system logging, resulting in limited analysis of the attack

For many small and medium sized businesses, it’s not always obvious how to address cyber security threats. There are some core security arrangements which can really help to address the most obvious threats.

We’d highly recommend looking at Cyber Essentials or Cyber Essentials Plus accreditation. These are information assurance schemes operated by the National Cyber Security Centre (NCSC). They provide a framework for organisations to carry out a review of their security arrangements, and to make sure basic controls are introduced to protect networks/systems.

7 information security tips

1. Control who has access to your data and services

  • Role-based access – give people access to only the specific data they need based on their job role.
  • Separate administrative accounts from accounts which are also using email or browsing the web, to minimise the damage caused by an attack.

2. Choose the most secure settings for your devices and software

  • Check your device settings, make sure they’re providing a higher level of security.
  • Always password protect your devices and change any default passwords.
  • Wherever it’s available, always use Multi-Factor Authentication on your accounts.

3. Protect yourself from viruses and other malware

  • Make sure antivirus software is in place and updated regularly.
  • Create a list of applications which are allowed to be installed on a device.
  • Only use software from official sources and control who can install software. In other words stop staff downloading dodgy apps!

4. Keep your devices and software up to date

  • Make sure all software is up-to-date with the most recent version – known as patching.
  • If software becomes obsolete or is no longer supported, upgrade to a more modern version.

5. Logging and monitoring

  • Make sure you have suitable logs and monitors in place to detect and investigate any information security incidents.

6. Control use of USB / memory drives

  • Block access to external storage/upload devices – as the NSCS warns us it only takes one person to plug an infected memory stick containing malware to devastate the whole organisation.
  • Only allow approved drives and cards to be used.

7. Back up your data

  • Make sure you make backups of your important data very regularly and make sure backups can be restored very quickly, e.g. in the event of a malware attack. This will help your business get back on its feet quickly in the event of a critical data incident.

These are just a few key security steps to take and the above is by no means an exhaustive list. The NCSC has published a wide range of resources to help understand Cyber Essentials and become accredited: Cyber Essentials Overview. NCSC has also published helpful guidance on matters such as passwords, bring your own device and multi-factor authentication.

Any company whose suffered a cyber attack will know all too well how damaging they can be on so many different levels. We’d just stress you can’t prioritise enough doing all you can to reduce this risk to your business.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.