Included in this edition of Data & Privacy News: ICO launches consultation on code of practice for age-appropriate design of online services; Study shows many businesses are unprepared for cyber breaches; Government updates data protection law guidance in the event of no-deal Brexit and more...

ICO launches consultation on code of practice for age-appropriate design of online services

The Information Commissioner's Office (ICO) has launched a consultation on a code of practice for online services to help protect children's privacy.

The draft code, introduced by the Data Protection Act 2018, sets out 16 standards of age appropriate design for online services like social media platforms and online games. The standards are not restricted to those specifically aimed at children, they must be adhered to when designing online services likely to be accessed by them. 

The consultation closes on the 31 May 2019, with the final version expected to come into effect by the end of the year.

Study shows many businesses are unprepared for cyber breaches

An independent survey of 300 operational IT decision-makers and 300 security IT decision-makers has shown that many UK and US businesses are lacking IT security and operations basics leaving them open to cyber-attacks. This is despite increased attention and investment in cyber security across all sectors.

The survey by endpoint management and security firm 1E revealed that 77% of respondents believed that their business were not extremely well prepared to react to a serious data breach, with 60% saying they had experienced a serious security breach in the previous two years.

The findings of the survey concluded with a 10-point action plan for businesses, which was compiled by Michael Daniel, a cyber security expert who was former special assistant to Barack Obama.

Government updates data protection law guidance in the event of no-deal Brexit

The UK government has updated its guidance on data protection law in the event of a no-deal Brexit.

The standards set in GDPR will be retained in UK law, with "appropriate changes" being made to the Data Protection Act and the GDPR by the EU Withdrawal Act. Details of these changes will be published over the coming weeks, but it is expected the vast majority will involve removing references to EU institutions and procedures.

Spanish Data Protection Agency issues guidance on GDPR notification thresholds

The Spanish Data Protection Agency, Agencia Española de Protección de Datos, has released a guide aimed at individuals who want or need to familirisise themselves with management and notification of security breach issues. 

The guide also contains the Spanish regulator's recommended process for assessment of the severity of a data breach, in order to comply with Articles 33 and 34 of the GDPR, notifying the Data Protection Authority of the breach and data subjects.

Facebook faces legal action from Canada and a new investigation in Ireland

The Office of the Privacy Commission of Canada has said is will be taking legal action against Facebook after it found "superficial and ineffective" privacy safeguards allowed third-party applications to access the personal information of Facebook users.

The privacy watchdog began a joint investigation with the Information and Privacy Commissioner of British Columbia in March 2018, following a complaint that Cambridge Analytica had accessed the personal information of millions of Facebook users without their consent.

The Irish Data Protection Commission has also said that it has launched s statutory enquiry into Facebook's compliance with GDPR, after Facebook informed the regulator that it had found millions of passwords stored in plain text on its internal servers.