ICO fines South Staffordshire £963,900 after phishing-led breach exposed 633,887 people’s data
The ICO has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a phishing-led cyber attack led to…
Articles
Practical guidance on UK GDPR, data protection, and privacy compliance. From ICO enforcement updates to implementation guides, we help you stay informed and compliant.
NHS data breach disciplinary disparity: why staff rarely face dismissal
NHS staff rarely face dismissal for data breaches. Analysis of the Southport and Nottingham record access scandals and what they…
California sues 23andMe: why genetic-data security failures become a board issue
California says 23andMe failed to protect genetic data and misled consumers after the 2023 breach. Here is why the lawsuit…
ICO secures over £118,000 in confiscation orders against former RAC employees — why employee access abuse still demands hard controls
On 4 June 2026, the Information Commissioner’s Office said it had secured £118,852.32 in confiscation orders against two former RAC…
Nottingham dismissed 11 staff. Liverpool reportedly dismissed none. What NHS leaders should learn
Two NHS record-access scandals now sit side by side in the public record. On 21 May 2026, Nottingham University Hospitals…
ICO AI code of practice: what UK organisations should do before the next strategy lands
On 29 May 2026, the Information Commissioner’s Office said its 2026/27 AI work will include an AI code of practice,…
CNIL fines IQVIA €5m over health data warehouse breaches
On 26 May 2026, the French data protection authority CNIL fined IQVIA Operations France €5 million over failures in two…
Disney CCPA settlement: why cross-device opt-outs must work account-wide
California’s 11 February 2026 settlement with Disney is one of the clearest CCPA warnings yet for teams that run the…
ICO secures £355,880.10 confiscation order against Rizwan Manjra — why insider misuse controls still matter
On 21 May 2026, the ICO said it had secured a £355,880.10 confiscation order against former motor-insurance worker Rizwan Manjra.…
Why a templated privacy policy is only half the job — writing vs. operationalising it
A templated privacy policy can look reassuring while hiding gaps in complaints handling, SAR workflow, consent records, and breach response.…
ICO fines Energy Prices Direct £160,000 for 700,000 unsolicited marketing calls
On 20 May 2026, the Information Commissioner’s Office said it had fined Energy Prices Direct Limited £160,000 after the company…
General Motors CCPA settlement: why data minimization is now an enforcement risk
California’s settlement with General Motors shows how CCPA data minimisation is now an enforcement risk. Here’s what the case says…
Why some UK news websites can now ask readers to accept cookies or pay
Why some UK publishers can now use consent-or-pay banners, what the ICO changed on 23 January 2025, and what managers…
Irish DPC fines Permanent TSB €277,500 over phone-based account takeover and late breach reporting
Irish DPC fined Permanent TSB €277,500 after phone-based impersonation attacks exposed weak contact-centre controls and late GDPR breach reporting.
UK Data Protection Complaints Procedure: What Organisations Need in Place Before 19 June 2026
From 19 June 2026, UK organisations must have a process for handling data protection complaints. This requirement needs a live…
Dutch AP fines Yango €100 million over Russia transfers — why boards should revisit GDPR transfer governance
The Dutch AP fined Yango operator MLU B.V. €100 million over personal data transfers to Russia. Here is the board-level…
ICO fines South Staffordshire PLC & South Staffordshire Water £963,900 after phishing-led breach exposed 633,887 people’s data
The ICO fined South Staffordshire £963,900 after a phishing-led cyber attack exposed 633,887 people’s data. What failed, and what managers…
UK Government Advances Facial Recognition Rollout — What This Means for Privacy Compliance
UK live facial recognition expansion raises data protection concerns. What managers should watch as police biometrics use widens in 2026.
Indiana Consumer Data Protection Act — What Managers Need to Know in 2026
Indiana Consumer Data Protection Act (INCDPA) is now in force from January 1, 2026. What managers must do now to…
EDPB Issues New Guidelines on AI Systems and Personal Data — Key Changes for EU Organisations
EDPB Opinion 28/2024 clarifies GDPR rules for AI models and personal data. What HR, leadership, and marketing teams must do…