Meltdown and Spectre – what should organisations be doing to protect people’s personal data?

By Nigel Houlden, Head of Technology Policy

IT security

This week Google’s Project Zero team published details of serious security flaws, Meltdown and Spectre, which affect almost every modern computer, and could allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM. The full technical details of these vulnerabilities can be found in this blog post, and papers have been published under the names Meltdown and Spectre that give further details.

In essence, the vulnerabilities provide ways that an attacker could extract information from privileged memory locations that should be inaccessible and secure. The potential attacks are only limited by what is being stored in the privileged memory locations – depending on the specific circumstances an attacker could gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser. One variant of the attacks could allow for an administrative user in a guest virtual machine to read the host server’s kernel memory. This could include the memory assigned to other guest virtual machines.

Continue reading

Posted in Nigel Houlden | Tagged , , , , | Leave a comment

GDPR is not Y2K

By Information Commissioner Elizabeth Denham.

I’ve been pleased to hear from many of you that the eight GDPR myth busting blogs we’ve run this year have been helpful in your preparations for the new legislation.

There are still some myths out there though and, as we approach Christmas and New Year, there’s one in particular I wanted to bust:

Myth #9: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug

I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.

Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.

However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.

Continue reading

Posted in Elizabeth Denham | Tagged , , , | 6 Comments

ICO seeks comment on draft Children and GDPR guidance

By Elizabeth Denham, Information Commissioner.

GDPR-children-blog-rbgChildren today are truly digital natives. With that in mind, we need to ensure that they have the tools to be contributing digital citizens. This means that the protection of children’s personal data is fundamentally important.

That is why the General Data Protection Regulation (GDPR) will introduce new, specific legal responsibilities for organisations processing children’s data from 25 May 2018.

I am pleased that the special case of children’s privacy rights is part of the wider conversation about the UK’s digital future. Protecting children online is the shared responsibility of lawmakers, companies, platforms, parents and regulators and we need to get this right.

Continue reading

Posted in Elizabeth Denham | Tagged , , | 5 Comments

Update on ICO investigation into data analytics for political purposes

By Elizabeth Denham, Information Commissioner.

data-analytics-update-blog.pngIn May I announced a formal investigation into the use of data analytics for political purposes. We’re looking at how personal information was analysed to target people as part of political campaigning and have been particularly focused on the EU Referendum campaign.

We are concerned about invisible processing – the ‘behind the scenes’ algorithms, analysis, data matching, profiling that involves people’s personal information. When the purpose for using these techniques is related to the democratic process, the case for a high standard of transparency is very strong. Continue reading

Posted in Elizabeth Denham | Tagged , , , | 34 Comments

The 12 ways that Christmas shoppers can keep children and data safe when buying smart toys and devices

This article was amended on 24 November 2017 to add additional material.

By Steve Wood, Deputy Commissioner (Policy).

IoT-six-things-blogIn an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.

The ICO supports innovation and creative uses of personal data, but this cannot be at the expense of people’s privacy and legal rights, whatever their age. Concerns have been raised in recent months, not only in the UK but in Europe and the USA, that the growth in toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk.

There have also been data protection concerns relating to some products over what data is collected, by whom, where it is stored and how it is secured.

The Information Commissioner’s Office (ICO) wants parents, guardians and others to consider data protection and privacy issues in the same way they would check on the safety of presents they are planning to give to their children.

Continue reading

Posted in Steve Wood | Tagged | 13 Comments

Changes to Binding Corporate Rules applications to the ICO

By James Dipple-Johnstone, ICO Deputy Commissioner – Operations.


The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations.  Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.*

The ICO is also one of the largest regulatory offices in Europe, meaning it has capacity to deal with authorisations at scale and at present we are working on around 40 BCR applications at various stages of the process.

BCRs are one of the ways organisations can comply with data protection rules about ensuring adequate safeguards when personal data is sent outside the European Economic Area (EEA).

Continue reading

Posted in James Dipple-Johnstone | Tagged , , | 3 Comments

Personal data must be safe from prying eyes

By Mike Shaw, Enforcement Group Manager.

BLUEFOLDERHAndJust because you can, doesn’t mean you should.

Most people are familiar with this phrase, but what is its relevance in the world of data protection?

Put simply, just because your job may give you access to other people’s personal information, that doesn’t mean you have the legal right to look at it, let alone share it. In fact, doing so without a valid reason or the knowledge of your employer is a criminal offence and could lead to prosecution by the Information Commissioner’s Office and a day in court.

Continue reading

Posted in Mike Shaw | Tagged , , | 11 Comments

When political market research crosses the line

Pan fydd ymchwil farchnad wleidyddol yn croesi’r llinell

By Steve Eckersley, Head of Enforcement.

When political market research crosses the lineThe ICO has concluded its investigation into a Conservative Party telephone campaign carried out in the run up to the 2017 general election.

An undercover Channel 4 News investigation raised concerns about the campaign involving calls made by Blue Telecoms, a firm in Neath, South Wales, on behalf of the Conservative Party. Continue reading

Posted in Steve Eckersley | Tagged , , , , , | 48 Comments

European guidance published – profiling and breach reporting

By Jo Pedder, Head of Policy and Engagement.


The Article 29 Working Party – the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR – has published guidelines on profiling and breach reporting. Guidelines on administrative fines that were adopted earlier this month, will be published soon too.

Consistency across the EU is one of the fundamental drivers of the GDPR and, as the UK member of Article 29 (WP29), we’re either leading or assisting in the development of guidance on some of the main aspects of the law. Continue reading

Posted in Jo Pedder | Tagged , , , | 1 Comment

ICO fee and registration changes next year

By Paul Arnold, Deputy Chief Executive.

ICO fee and registration changes next yearAs we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.

Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500.  These fees are used to fund most of the ICO’s work. Continue reading

Posted in Paul Arnold | Tagged , , , , , | 46 Comments