When can UK marketers use the soft opt-in?
Unsolicited email and SMS to individual subscribers normally needs consent under PECR electronic mail marketing rules. The soft opt-in is…
Articles
Practical guidance on UK GDPR, data protection, and privacy compliance. From ICO enforcement updates to implementation guides, we help you stay informed and compliant.
GDPR & Slack: How to stay compliant with GDPR
Slack is where your team talks. It is not where your GDPR programme lives. Under the UK GDPR Article 28,…
Can I Request a Copy of All My Employment Data from My Employer Under GDPR?
The General Data Protection Regulation (GDPR) gives you the explicit right to request and receive a copy of all personal…
Garante fines Emirates €180,000 over assisted-travel health data
Italy's Garante fined Emirates €180,000 over MEDIF health-data transparency and retention. Practical lessons for accessibility and assisted-travel data.
London Clinic ICO caution: what staff medical-record misuse teaches employers
The ICO has issued a formal caution to a former healthcare professional after concluding a criminal investigation linked to medical…
Irish DPC fines HSE €300,000 after Tullamore ransomware breach
The Irish Data Protection Commission has fined the Health Service Executive €300,000 after a ransomware attack on the laboratory information…
Is Employee Data Subject to GDPR? How must it be protected?
Yes. Employee data is personal data, so GDPR applies whenever an employer collects, stores, shares, searches, or deletes it. The…
When Do You Need to Conduct a GDPR Risk Assessment/DPIA?
In practice, people often say “GDPR risk assessment”, but the legal test under the UK GDPR is whether you need…
ICO fines South Staffordshire £963,900 after phishing-led breach exposed 633,887 people’s data
The ICO has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a phishing-led cyber attack led to…
NHS data breach disciplinary disparity: why staff rarely face dismissal
NHS staff rarely face dismissal for data breaches. Analysis of the Southport and Nottingham record access scandals and what they…
California sues 23andMe: why genetic-data security failures become a board issue
California says 23andMe failed to protect genetic data and misled consumers after the 2023 breach. Here is why the lawsuit…
ICO secures over £118,000 in confiscation orders against former RAC employees — why employee access abuse still demands hard controls
On 4 June 2026, the Information Commissioner’s Office said it had secured £118,852.32 in confiscation orders against two former RAC…
Nottingham dismissed 11 staff. Liverpool reportedly dismissed none. What NHS leaders should learn
Two NHS record-access scandals now sit side by side in the public record. On 21 May 2026, Nottingham University Hospitals…
ICO AI code of practice: what UK organisations should do before the next strategy lands
On 29 May 2026, the Information Commissioner’s Office said its 2026/27 AI work will include an AI code of practice,…
CNIL fines IQVIA €5m over health data warehouse breaches
On 26 May 2026, the French data protection authority CNIL fined IQVIA Operations France €5 million over failures in two…
Disney CCPA settlement: why cross-device opt-outs must work account-wide
California’s 11 February 2026 settlement with Disney is one of the clearest CCPA warnings yet for teams that run the…
ICO secures £355,880.10 confiscation order against Rizwan Manjra — why insider misuse controls still matter
On 21 May 2026, the ICO said it had secured a £355,880.10 confiscation order against former motor-insurance worker Rizwan Manjra.…
Why a templated privacy policy is only half the job — writing vs. operationalising it
A templated privacy policy can look reassuring while hiding gaps in complaints handling, SAR workflow, consent records, and breach response.…
ICO fines Energy Prices Direct £160,000 for 700,000 unsolicited marketing calls
On 20 May 2026, the Information Commissioner’s Office said it had fined Energy Prices Direct Limited £160,000 after the company…
General Motors CCPA settlement: why data minimization is now an enforcement risk
California’s settlement with General Motors shows how CCPA data minimisation is now an enforcement risk. Here’s what the case says…