Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach The Information Commissioner’s Office (ICO) has cracked down on two energy firms, fining them a combined £550,000 for making unlawful automated marketing calls (robo-calls). The firms used voice-avatar software to make millions of calls that misled recipients into believing they were speaking with local UK…
-
-
Cookie Compliance Revolution: How DUAA 2025 Changes Everything Jenny runs a small bakery in Manchester. When GDPR first came into force, she panicked and copied a cookie banner from a template website. Two years later, she discovered that her innocent-looking banner was breaking the law in several ways. Her family bakery website had unknowingly drifted…
-
Bristol City Council Faces Enforcement over SAR Failures The Information Commissioner’s Office (ICO) has issued a formal enforcement notice to Bristol City Council after uncovering serious, ongoing failures in how the Council manages Subject Access Requests (SARs). This action follows years of complaints and evidence of systemic delays. The message from the ICO is clear:…
-
AI Minister: How Albania Is Using Artificial Intelligence to Fight Corruption Albania has made global headlines by appointing the first ever AI Minister, a digital cabinet member named Diella. Her job? Oversee public procurement and cut out corruption. Prime Minister Edi Rama says Diella will speed up public tenders, make them fully transparent and ensure they…
-
GDPR Radio: CCTV, Facial Recognition and Pseudonymised Data This GDPR Radio looks at CCTV in the workplace, police use of facial recognition, AI posture tracking as a lower risk alternative to biometrics, and the CJEU reminder that pseudonymised data is not always personal data. We also touch on opinions in SARs, cookie enforcement, and insider…
-
Strong Authentication in a Phishing-Driven World: What Really Works Phishing is still one of the toughest challenges in cybersecurity, not because of technical flaws, but because it exploits people. Attackers trick users into giving up credentials and bypassing security controls. Even with multi-factor authentication (MFA) in place, we have seen attackers find workarounds, from real-time…
-
NHS DSPT Toolkit v8 Released: What This Means for Your Data Protection Standards The NHS has published version 8 of the Data Security and Protection Toolkit (DSPT) for 2025-26. The new version introduces updated Outcomes, Assertions and Evidence items across sectors like GPs, hospitals, opticians, social care and universities. Organisations must meet the new standards…
-
Employee Monitoring UK GDPR: Bossware, Privacy and Compliance More UK companies are using surveillance software (often called “bossware”) to monitor employees’ emails, web browsing, screen time and even keystrokes. A recent survey found that approximately one third of UK firms now use such technologies. While employers argue this helps protect against insider threats and maintain…
-
The ICO’s New Focus: Training and Evidence for Compliance Every organisation handling personal data today should ask itself: are our data protection practices truly up to the ICO’s current standards, or are we merely ticking boxes? The ICO has made it clear that policies alone do not equal compliance. Staff training, role-specific awareness, and regular…
-
EDPS v SRB and Pseudonymisation: What It Means for Subject Access Requests The recent judgment in EDPS v SRB (Case C-413/23 P, EU:C:2025:645) changes how we think about personal data. The court confirmed that opinions and views are personal data when they relate to an individual. It also ruled that pseudonymisation does not always take…
Join our community
Our mission is to make data protection easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.