Blog Post
Why phishing is one of the biggest and most overlooked cybersecurity threats
A couple of weeks ago you received an email from the IT team who wanted you to urgently log in to your Microsoft account so they could check something or other. What you didn't realise is that the email address isn't one your IT team usually use. Two weeks later, the real IT team get in touch about unusual activity in your mailbox. Yep, you fell for a phishing attack. Not to worry, you have now changed your compromised password – job done!
Blog Post
ICO consultation to obtain powers under the proceeds of Crime Act 2002
On the 8 November 2019, the ICO opened a consultation on their application for powers under the Proceeds of Crime Act 2002 ("POCA"). The ICO have a responsibility for investigating and pursuing criminal offences under the General Data Protection Regulation ("GDPR") and Data Protection Act 2018 ("DPA"). The ICO is concerned that the current sanctions available to them is not sufficient to deter criminal activity concerning data.
Blog Post
Have your say on cyber security - The UK Government issues a call for evidence

From conversations with our clients and other friends we know that the topic of cybersecurity still burns bright at the top of your agendas. Rightly so. The World Economic Forum’s recent report on Regional Risks for Doing Business 2019 ranks cyber attacks second only to fiscal crises in its assessment of global risks to business (and data theft makes the list in its own right, in seventh place). That makes cyber a bigger issue than traditional fears such as failures of national government or critical infrastructure. Ensuring your business is as well-prepared as it can be is a core goal, and we’re delighted to be helping so many of you around the world design - and test - your strategies for cyber.
Blog Post
Does the EDPB answer frequently asked questions on territorial scope? (Update)

The European Data Protection Board (EDPB) has finally released the final version of its guidance on the GDPR's scope. It comes almost a year after the draft version - indicating some major disagreements between member states. Following on from a similar blog on the draft, Fieldfisher now examines the changes in the final version and answers some more key questions.
Blog Post
The use of biometric data in an employment context
The use of biometric data in an employment context is increasingly popular and seems to become a "quick-fix" modern security or fraud prevention solution. The increased use of biometric data for personal use (e.g. for the use of smartphone functions) seems to have increased the perceived acceptance of the use of biometric data. Data controllers should be aware however that the processing of biometric data may expose them to significant risks in case of data breach. This blogpost illustrates this with recent examples of case law and provides practical recommendations for employers-data controllers.
Blog Post
This is Going to Hurt: Secret Diaries of the ICO (or, a Song of Enforcement and Fining)
In our latest blog post, Amy Lambert explores the enforcement powers of the Information Commissioner's Office ("ICO") under the General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 ("DPA 18"). The ICO's new GDPR-level fining powers have had plenty of publicity, but what other tools does the ICO have at its disposal? We also consider what the ICO will need to consider while operating within the broader European framework; and what impact a hard Brexit would have on businesses operating in the UK and the EU. Plenty to unpack here, so dive on in.
Blog Post
Accountability - the enabler to evidencing your compliance under the GDPR Part 2

After providing a background to accountability and highlighting the latest work of the UK's Information Commissioner's Office in this area in Part 1, we turn our attention to some practical steps that you can be doing under the GDPR to engage with accountability. It is apparent that there is no one way to demonstrate your accountability. But in embracing accountability's proactive approach, there is no time like the present to (re)examine your organisation's position on accountability.
Blog Post
Accountability - the enabler to evidencing your compliance under the GDPR

Accountability, the one word that underpins and overarches the GDPR. Whilst the concept is not new to data protection, its importance is gathering pace. It is the subject of webinars and the topic of discussions at data protection conferences worldwide. Whilst 25 May 2018 was about getting ready for the GDPR, now it is a matter of being able to evidence how you do comply with the Regulation. The importance of accountability is highlighted today by the ICO's launch of a survey that asks for feedback on the proposed scope and structure of its accountability toolkit that controllers can use to develop their own accountability framework.
Blog Post
The impact of the GDPR on the risk and compliance function in law firms

The impact of the GDPR on the risk and compliance function in law firms
Blog Post
The right to be forgotten and the EU Court of Justice: Round 2

In our previous blog post available here, we covered the long-awaited decision (Case C-507/17) from the Court of Justice of the European Union (the "Court") regarding the territorial scope of the European "right to be forgotten" in the context of search engines (also referred to as "de-indexing" or "de-referencing"). It is said that "the best things come in pairs" and the above-decision from the Court is no exception. On the same day (24 September 2019), the Court issued another decision (Case C-136/17) which has been not received much attention but is still important since it further clarifies the scope of the "right to be forgotten" and, in particular, the conditions under which individuals may obtain the de-referencing of a link from search results.