Tag

ICO

Browsing

The ICO has issued a statement confirming that organisations should immediately check to see whether they are potentially a victim of the cyber-attack carried out through the SolarWinds Orion IT management platform (see ICO statement). Initial technical research indicates that while the majority of potentially compromised users of Orion are based in the United States of America, there are significant numbers of users in the United Kingdom and EU. The versions of the software that…

The UK data protection regulator, the Information Commissioner’s office, has issued three significant monetary penalties over recent months focusing on cyber security issues. The most recent enforcement was a monetary penalty of £1.25 million on Ticketmaster in connection with an incident which occurred during February 2018 and June 2018 (although the enforcement only relates to the period after 25 May 2018 when the GDPR came into force). In the ICO’s view there was a failure…

The UK data protection regulator, the Information Commissioner’s Office, has issued a monetary penalty to £20m on British Airways in connection with a cyber-attack which took place in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR. The incident commenced with a “supply chain attack” where BA’s network was accessed by an attacker…

The ICO, together with The Alan Turing Institute, recently published its finalised guidance on explaining decisions made with AI, following a public consultation which closed in January this year. Who should read this? The guidance is relevant for any organisation using, or thinking of using, AI to support or make decisions about individuals (including if you are procuring an AI system from a third party).It will be of particular use for DPOs, and legal…

On 15 April 2020 the ICO published a statement on its regulatory approach during the coronavirus pandemic. Recognising that operational and financial pressures caused by the coronavirus may impact organisations’ ability to fully comply with aspects of data protection laws, the ICO has stated it intends to apply an empathetic, “flexible and pragmatic” approach in its enforcement of data protection laws during the crisis, as well as any enforcement under the Freedom of Information Act…

On March 2, 2020, the Information Commissioner’s Office (ICO) issued a lead generator, CRDNN Limited (CRDNN), with a maximum £500,000 fine under the Privacy and Electronic Communications Regulations 2003 (PECR) for making more than 193 million automated nuisance calls.  The full monetary penalty notice can be viewed here. What happened? CRDNN first came to the ICO’s attention due to a significant number of complaints from subscribers regarding large volumes of unsolicited marketing calls marketing a number of…

On February 19, 2020 the ICO published its draft guidance on the AI auditing framework for public consultation, which is open until April 1, 2020. We have summarised the key themes below. What is the draft guidance? The draft guidance, which runs to over 100 pages, provides advice and recommendations on how to understand data protection law in relation to artificial intelligence. It clarifies how to assess the data protection risks posed by AI and…

On January 8, 2020 the ICO published its draft Direct Marketing Code of Practice for public consultation, which is open until 4 March 2020. We are summarized the status of the draft code, the key areas which are new compared to the ICO’s current direct marketing guidance, and the next steps. What is the draft code and its status? The Information Commissioner is required to publish a statutory direct marketing code under the Data Protection…

On January 17, 2020, the ICO published a blog post entitled “Adtech – the reform of real time bidding has started and will continue”, which provides an update on key industry changes in relation to Real Time Bidding and the ICO’s approach going forward to the issues identified in its June 2019 report.   We previously summarized the key points from the June 2019 report here, as well as an update from the ICO on…

On December 20, the ICO’s Executive Director for Technology and Innovation, Simon McDougall, published a blogpost entitled Adtech and the data protection debate – where next?. It marks six months since the ICO’s Update report into adtech and realtime bidding. What does the blogpost say? The blogpost summarises the ICO’s engagement with the adtech industry over the past six months, including the follow-up to its Fact-Finding Forum attended by industry stakeholders. The ICO’s conclusion is…