Included in this issue of Data & Privacy News; Supplier contracts likely terminated over cyber security negligence; Equifax fined for data breach; AggregateIQ hit with first GDPR enforcement notice; and more.


Supplier contracts likely terminated over cyber security negligence 

Research by consultancy Opinium for business ISP provider Beaming reveals that 31% of businesses would terminate contracts with suppliers if their negligence led to the business being adversely affected by an incidence of cybercrime. Of the businesses surveyed only 3% said they would take no action. 

Suppliers risk their ability to win new business over the matter. The number of businesses saying they would not work with a supplier that they thought would make them more vulnerable to cybercrime was 35% and 27% said they would avoid using a company that had been publicly associated with a major cyber security breach.

The research highlighted that small businesses were particularly at risk of damaging their reputations. At the beginning of 2018 just 51% of firms employing between 10 and 49 people had a documented cyber security policy and 38% had insurance in place for breaches and data theft.

Give children the same protection online as they get offline, says information commissioner 

Elizabeth Denham, the Information Commissioner, has said that online products such as apps or websites should be regulated to keep children safe, in the same way they would be offline through consumer laws. The Information Commissioner suggested a symbol system of “traffic lights” for parents to distinguish whether content is age appropriate, similar to toys, books or films.

The time has come for more rules and more controls to protect individuals against some of the harms that are of deep public concern," she told a Lords committee.

Equifax fined for data breach 

The Information Commissioner’s Office has fined credit rating agency Equifax the maximum possible fine of £500,000 for a data breach.

Hackers stole 145 million individuals' personal details between May and July in 2017. The decision referred to the fact that the company was in breach of five of eight data protection rules under the 1998 Data Protection Act.

An Equifax UK spokesperson has confirmed that they have since implemented measures to prevent such an incident happening again.

AggregateIQ hit with first GDPR enforcement notice 

The Information Commissioner’s Office (ICO) have served Canada’s AggregateIQ (AIQ) with the country’s first GDPR enforcement notice.  According to the ICO, the company is in breach of Articles 5 and 6 of the GDPR. It has 30 days to comply with data regulations after which it could face a civil monetary penalty of up to €20 million (approx. £17.8 million) or four percent of global turnover.

AIQ was paid by the Vote Leave campaign to target ads at prospective voters during the Brexit referendum. It has since appealed the notice.

Key contacts

Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen

View profile
Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile