Monthly Archives: March 2014

Data Security – Microsoft Office XP and 2003

8 April 2014On 8 April 2014 , office support for Microsoft’s Windows XP and Microsoft Office 2003 will come to an end.  Not the end of the world, you’d think, but if your organisation keeps personal information on those versions, this is a significant problem.

Though PCs will continue to run, the issue is that Microsoft will not be providing any further updates or fixes to these products. This means that in the event of any security flaw, your system will be vulnerable, and so in turn will any personal data you hold.

It is inevitable that, over time, attackers will increasingly find the vulnerabilities within these products, which will provide them with more and more opportunities to access and manipulate your systems.  To prevent the risk of personal data breaches in these circumstances, the best advice is to migrate to a supported system before the deadline of 8th April.

It’s not just Microsoft where stopping system support is an issue – the same is true of other providers who do not support their systems.  So it’s well worth making sure that you and your organisation have ‘appropriate technical organisational measures in place to keep individuals’ personal data safe.

Failure to do so puts you in breach of the Data Protection Act, and the ICO has the power to levy a fine of up to £500,000 to any organisation whose failure to comply with the DPA has led to serious issues of data security.

The size of fine varies enormously depending on the scale and potential damage caused by the breach.  For example the ICO has recently fined the British Pregnancy Advice Service £200,000 after a hacker obtained thousands of individuals’ personal details due entirely to poor data security.  And, on a smaller scale, the owner of a loans company, Jala Transport, was fined by the ICO after his car was broken into.  The thief stole £3,600 and a hard drive. Even though the hard drive was password protected, the data within was not encrypted and it included customers’ names, dates of birth, payments made, and the identity documents provided to support the loan application.  His fine could have been as high as £70,000, but was reduced to £5,000 to reflect the limited financial resources of the company and the fact that the breach was reported voluntarily.

In both cases, the breaches were perpetrated by a malicious third party.  But it was the lack of the businesses’ security and protection of the personal data that was the root cause of the fines. This is why it is so important that companies remain ready for the security issues which will inevitably arise when their service providers switch off support – whether the provider is Microsoft or another.

Data Compliant helps businesses build policies and processes to enable them to become and remain secure and compliant both in terms of systems and governance – if you have any concerns over your data security, don’t hesitate to contact us on 01787 277742 or email

Electronic Communications – ICO Updates March 2014

Last week, the Information Commissioner’s Office issued PECR guidelines with updates that are very much in line with the presentations they gave at the ICO conference on March 3rd. The changes impact marketing in two key areas:

Time Limits for Consent – the new guide states that there is “no fixed time limit” in relation to the validity of consent between consent being obtained and the first contact being made.

Essentially, the period between consent and first contact depends on two main areas

  • the expectation of the customer
  • the context under which consent was obtained.

The new PECR guidelines reflect this interpretation stating:  “consent … will remain valid as long as it is still reasonable to treat it as an ongoing indication of the person’s current wishes.”  At the conference, the ICO stated that, for example in the case of annual renewals, “it is reasonable that consent may be relied upon 12 months after consent was obtained”. However, during the same presentation the ICO categorically stated that they do not accept the concept of indefinite 3rd party consent.  This position is included within the new guidelines by “…even if consent is not withdrawn, it will become less reliable as time passes.”

Third party mailing list – there is a tricky area within the whole area of use of a third party mailing list for emails, texts and automatic telephone calls.  PECR requires that the customer has notified the data user that he or she consents specifically to the user’s message.  Indirect consent, of course, does not meet that requirement as the consumer has not notified the data user – he or she has notified a third party.

Although it is best practice to send marketing texts or emails only where you have yourself obtained consent, the ICO has made it clear that use of third party mailing lists can be acceptable, as long as:

  • the third party has made absolutely clear and transparent the use to which the data is to be put.   “In essence the customer must have anticipated that their details would be passed to you and that they were consenting to messages from you. “
  • you as the data user are cautious and carry out due diligence, seeking evidence that consent covers your organisation and the medium through which you want to communicate – email, text and automated calls each require specific consent for that specific communication channel.

Within the ICO, there is a small team investigating PECR breaches and taking appropriate complaint-based actions, which range from civil monetary penalties,  enforcement orders, criminal prosecution, and publication of who has been prosecuted and why.  

At the Conference, the ICO shared information on the number of PECR investigations which are taking or have taken place.

To date 296,000 concerns have been reported, as a result of which just 7 monetary penalty notices have been served.  In addition, there have been 11 formal undertakings, 19 enforcement notices and – as at 3 March – there were 79 investigations ongoing. 

The number of fines is low because ,in order to levy a monetary fine, “substantial damage” must  be caused by the breach – and the impact of a text message is not generally enough to trip businesses into the area of monetary penalties.
There is a proposal to lower the PECR threshold, and the expectation is that we can expect to see some sort of legislative change by the end of the year.

It is clear from the seriousness with which the ICO treats PECR breaches, that the ICO, like the recently approved EU Data Protection regulations, is trying to put the individual back in control of their own data.  And, for those of us who believe that targeted ‘one-to-one’ marketing is the way to the future, surely making sure that a prospect really wants to receive your message is not such a bad thing?

If you have any concerns over the changes to PECR guidelines, or would like to discuss your business’s personal data compliance and security, please call us on 01787 277742, or email

EU Parliament votes in favour of Data Protection amendments …

EU Parliament DP regs vote

EU Parliament DP regs vote

The European Parliament voted on March 12th to adopt the amendments put forward by the LIBE Committee.  An overwhelming 95% voted in favour (621 for, 10 against and 22 abstained).

What does that mean to UK businesses? 

Essentially the European Parliament has now given its backing both to the structure and fundamental principles of the European Commission’s data protection reform proposals – the General Data Protection Regulation and the Data Protection Directive.

However, to become law the proposed Regulation still has to be adopted by the EU Council of Ministers, who, on March 4th 2014, supported the principle that non-European companies who provide goods and services to European individuals will have to apply the EU data protection law in full.

The next meeting is scheduled for June 2014, and even though this falls after the European elections, yesterday’s vote means that Parliament has now made its decision, and its position will not change regardless of the results of the May elections.

Should these amendments ultimately become law, UK businesses will be affected by a number of issues, many of which have been raised in previous blogs


While there are undoubtedly restrictive disadvantages to businesses, there are also some advantages which will help establish a level playing field as well as saving time, money and legal costs.

A single law throughout Europe – A single law for data protection across Europe will replace the individual countries’ existing laws, making it easier for companies who will no longer have to work within 28 inconsistent and diverse laws.  According to Europa EU, this will benefit business to the tune of 2.3 billion euros per annum.

One-stop-shop – under current legistlation, a business is subject to the national data protection authority in each and every country in which it operates.  The new one-stop-shop rule means that a business will only be subject to the national data protection authority in the country where its Head Office is based.

While this is of significant benefit to businesses, it does make it unwieldy for consumers to keep control of complaints they make against a company whose head office is in a different country.  The one-stop-shop rule means that such consumers will have to complain to their own national data protection authority, who will then pass the complaint to the authority in the relevant country for action under their jurisdiction.  This is quite different from current regulations, where the business is responsible to the data protection authority in the country in which it operates.

Same rules for everyone – Companies based outside Europe will have to apply the same rules as those within.  Currently European businesses work under much stricter rules than their counterparts elsewhere so this will level the playing field.  In addition, there will be an increased level of fines for breaches of the regulations. The ICO can currently levy fines of up to £500,000, but the new legislation proposes fines for businesses who break the data protection rules of up to £85,000,000 or 5% of annual worldwide turnover – whichever is the higher. This should certainly concentrate the minds of some of the data-using giants of industry.


However, there are significant disadvantages to businesses as the EU proposals seek to empower the data subject far more strongly than ever before:

Right to erasure  – originally this was the “right to be forgotten” – and it allows data subjects to demand that their data is erased by businesses. The latest version states that not only must the business erase the data, but must pass that request on to other businesses where the data is replicated. Thjis amendment will cause severe difficulties for businesses such as social networks, cloud providers and search engines.  However, the right to erasure does not apply where there is a legitimate reason to keep data within a database.  And the right to erasure may not encroach on the freedom of expression and information of the media.

Consent – obtaining consent from the data subject will become significantly more difficult for businesses who collect and use personal data.  Currently consent may be “inferred” based both on consumers’ actions and their lack of action. Under the current legislation, if somebody buys a product online, and does not opt out; or if an individual does not “unsubscribe” from communication messages, then – depending on the circumstance – it can be “inferred” that the individual has given their consent to receipt of communications, services or offers.

However, the LIBE amendments require “explicit indication of the individual’s wishes” and “clear affirmative action”.  The implications are significant, as it is unlikely that current opt-out or unsubscribe mechanisms will meet the required level of consent. There will also be increased restrictions over relating the consent to the “Purpose” of collecting the data.  If the original Purpose no longer exists, then the company may not rely on that consent to process the customer’s personal data.

This is likely to have a significant impact businesses – research from shows that just 30% of consumers today are likely to opt in compared to 51% choosing not to opt out.  Clearly, over time, there will be changes to these statistics – consumers will become more aware as a result of businesses being forced to become more transparent about how they intend to use the personal data provided.  It is also noteworthy that, from the same research, currently 40% of people state they will provide information in return for something they perceive to be of value.  Some creative thinking is required to find real, tangible benefits to consumers in return for them providing their data.

Profiling – the use of profiling is widespread among UK businesses and direct marketers.  The EU regulations state that data subjects are required to be provided with a clear explanation of any profiling.  There is even provision to ban profiling entirely in those circumstances where profiling affects fundamental rights or causes potentially discriminatory results such as race, religion etc).  The impact of this on financial services organisation or those who use credit checking is likely to be inconvenient at best.

Data Protection Officers – The LIBE amendment requires that a data controller or data processor must appoint a Data Protection Officer (DPO) for a minimum of four years when processing personal data in relation to more than 5,000 data subjects within any 12-month period. And even where an organisation processes under 5,000 individual records but those records include sensitive personal information such as children’s personal information, then they too must also appoint a DPO. Having said that, SMEs are exempt as long as data processing is not their core business activity.

Data Subject Compensation policy – Individuals who have suffered damage can claim compensation for breaches of the Regulation. This would mean that an individual woken up by an unsolicited telemarketing call could claim damages for being disturbed.

There is still a long way to go before the EU legislation is finalised, and in the meantime discussions will continue.  Many countries are clear that getting the legislation right is more important than hitting an arbitrary deadline so both the content and the timetable are subject to change.

Nonetheless it is well worth UK businesses preparing for changes to the data protection landscape.  Although the new legislation is not expected to be in place before 2016, and it may possibly lapse to early 2017, changes are definitely going to happen, and planning for compliance will need to begin now.

If you have any concerns over how the new EU legislation may affect your business, or would like advice on becoming and remaining compliant, please contact us on 01787 277742.