< ciso
brief />
Tag Banner

All news with #gdpr tag

61 articles

Google Cloud cleared for Dutch public sector use

🔒 Google Cloud announced completion of a Dutch data protection impact assessment (DPIA) by SLM Rijk, confirming there are no known high data protection risks when recommended measures are applied. The outcome enables the Dutch central public sector to adopt Google Cloud from a privacy-assessment perspective and builds on earlier DPIA work for Google Workspace. Google emphasizes continued investment in privacy-enhancing technologies and support resources for customers.
read more →

CMC analysis of Canvas incident impacts education

🔍 The UK Cyber Monitoring Centre (CMC) has published its review of the Canvas incident affecting Instructure’s Learning Management System, finding ~160 UK higher education institutions impacted and around 9,000 worldwide. The analysis highlights that financial losses arose mainly from response, recovery and risk management rather than prolonged outage. The CMC reinforced best-practice recommendations for the sector, including MFA enforcement, separation of application and data layers, careful third‑party control and clearer vendor communication.
read more →

Ten years of the GDPR: mixed outcomes and lessons

📄 Ten years after the GDPR came into force, data protection is far more established across Europe and beyond, raising consumer awareness and making privacy a competitive factor for businesses. Record fines against major tech firms underline enforcement seriousness, even as many penalties remain disputed. Companies increasingly view the regulation as burdensome and legally uncertain, complicating innovation, notably in AI development.
read more →

Google to use IPs for ad personalization in EEA, UK

🔒 Google has notified advertisers it will begin using IP addresses to identify devices for ad measurement and personalization across the EEA, UK and Switzerland on or shortly after August 3, 2026. The change repurposes IPs — already transmitted to route traffic and deliver ads — for purposes that trigger consent requirements under UK and EU law. Google will register for IAB Europe TCF Feature 3 and says it will rely on privacy-enhancing technologies while offering later user choices on its properties. Advertisers remain responsible for obtaining valid consent under Google’s EU User Consent Policy.
read more →

GDPR’s legacy and the coming AI regulatory battles

📰 Over eight years GDPR set global data-protection norms, notably the 72-hour breach notification standard, but nearly 40% of announced EU fines by value are annulled or under appeal. Experts say large tech firms contesting fines isn’t surprising and that rulings provide practical guidance for compliance teams. As the EU’s AI Act and proposed GDPR reforms arrive, regulators must shore up procedural robustness while organisations adapt governance to evolving AI risks.
read more →

Most CISOs Would Consider Paying Ransoms to Recover

🔒 A new report from Absolute Security finds that 58% of CISOs would realistically consider paying a ransom to restore systems after a ransomware attack. US respondents were likelier to consider payment (63%) than UK peers (47%), with legal guidance, GDPR and doubts over recovery cited as reasons. Operational downtime was viewed as the most damaging impact. The report warns organizations to invest in resilience, infrastructure and governance to reduce reliance on ransom payments.
read more →

NOYB Sues LinkedIn Over Paywalled 'Who Viewed' Data

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.
read more →

Ten Years of GDPR: Achievements, Gaps, and Next Steps

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.
read more →

Amazon Quick launches in AWS Frankfurt (eu-central-1)

🇩🇪 Amazon Quick is now available in the AWS Europe (Frankfurt) region (eu-central-1). This launch lets customers in Germany use Amazon Quick capabilities—AI-powered chat, Research, Spaces, Flows, and QuickSight dashboards—with data stored and processed locally within the Frankfurt region. The expansion includes in-region inference via EU-CRIS, ensuring inference traffic stays inside European AWS Regions. Regulated industries such as financial services, healthcare, and the public sector can meet GDPR and local data sovereignty requirements.
read more →

Police Scotland fined £66,000 for sharing phone data

⚖️ Police Scotland was fined £66,000 and reprimanded after an Information Commissioner’s Office (ICO) investigation found the force extracted and then mistakenly shared the full contents of a female detective’s phone with the officer she accused of rape. The disclosed material reportedly included intimate photos, medical records and contact details. The ICO said the force failed to limit data sharing, implement appropriate organisational and technical measures, and notify the regulator within the required 72‑hour timeframe.
read more →

EU Adviser: Banks Must Immediately Refund Phishing Victims

⚖️ Advocate General Athanasios Rantos advised that, under PSD2, banks must immediately refund customers for unauthorised transactions resulting from phishing unless the bank has reasonable grounds to suspect the customer committed fraud and communicates those grounds in writing to the competent national authority. Banks may later seek reimbursement if they can prove the customer acted intentionally or with gross negligence. This opinion is advisory, not a final CJEU ruling.
read more →

GCHQ Seeks CISO for Under 130,000 GBP Amid Skills Shortage

🔐 A recent job posting from GCHQ for a Chief Information Security Officer has drawn industry attention for offering a maximum salary of £130,000 (roughly €150k–€155k) despite demanding executive-level responsibilities. The role requires deep expertise in securing cloud environments, emerging technologies and compliance with frameworks such as NIST, ISO 27001, GDPR and GovS 007. Desired certifications include CISSP, CISM or CCISO. Observers note the posting highlights the gap between public sector compensation and market rates amid a global cybersecurity skills shortage.
read more →

Samsung to Stop Collecting Texans' TV Viewing Data by Consent

🔒 Samsung and the State of Texas have settled a dispute over allegations that its smart TVs used Automated Content Recognition (ACR) to collect viewing data without users' express consent. Under the agreement, Samsung must halt collection or processing of ACR viewing data from Texas consumers unless they give clear, affirmative consent, and it will update TVs with clearer privacy disclosures and consent screens. Texas AG Ken Paxton said the settlement compels clear, conspicuous notices; Samsung maintains it did not spy on consumers but agreed to strengthen privacy notices.
read more →

GCHQ CISO Role Offers Surprisingly Low Salary for Nation

⚠️ A recent GCHQ job advertisement seeks a chief information security officer described as one of the most influential cyber security leadership roles in the UK, yet it offers a maximum salary of £130,000 (about $175,000). The role asks for expertise securing cloud environments and emerging technologies, and knowledge of frameworks such as NIST, ISO 27001, GDPR and GovS 007. Professional certifications like CISSP, CISM or CCISO are flagged as highly desirable. The compensation and absence of industry-style incentives have prompted criticism amid a global shortage of security talent.
read more →

Olympique Marseille Confirms Cyberattack After Data Leak

⚠️ Olympique de Marseille says it was the target of an attempted cyberattack after a threat actor claimed to have breached some servers and leaked a sample of allegedly stolen information. The actor claims the database includes details on about 400,000 individuals and more than 2,050 Drupal CMS accounts, including staff, contributors, and moderators. The club reports its technical teams and specialized providers quickly contained the situation, that operations continue normally, and that no banking details or passwords have been compromised; it has reported the incident to the CNIL and filed a complaint.
read more →

UK Data Watchdog Reorganises to Board-Led Agency Structure

🔒 A forthcoming overhaul to the UK GDPR will convert the Information Commissioner's Office from a single-commissioner model into a board-run government agency, with Paul Arnold appointed as the first CEO of the new structure. The changes, to be enacted through the Data (Use and Access) Act 2025, aim to improve continuity, broaden expertise and manage a growing workload. The reform also grants the ICO new investigatory and compulsory powers and expands duties affecting businesses, while Data Essentials training will be scaled up.
read more →

ICO fines Reddit £14.47m over inadequate age checks

🔒 The UK Information Commissioner's Office (ICO) has fined Reddit £14.47m for failing to implement robust age verification and for not conducting a required DPIA before January 2025. The regulator found that children under 13 had personal data processed without a lawful basis and were potentially exposed to inappropriate content. Reddit maintains it avoids collecting identity data to protect privacy, while experts warn heavy-handed identity checks could introduce new privacy and security risks.
read more →

UK fines Reddit £14.47M for unlawfully using children's data

🔒 The UK Information Commissioner's Office has fined Reddit £14.47 million for collecting and processing the personal information of children under 13 without adequate safeguards. The ICO found Reddit lacked a meaningful age-verification system until July 2025 and judged the measures introduced then could be easily bypassed. Reddit said it will appeal and disputes the regulator's assessment.
read more →

Ireland launches GDPR probe into X's Grok for sexual images

🔎 Ireland's Data Protection Commission has opened a formal probe into X over the use of its Grok AI to generate non‑consensual sexual images of real people, including children. The inquiry will assess whether X Internet Unlimited Company complied with core GDPR duties such as lawful processing, data protection by design, and required impact assessments. The DPC said it has been engaging with XIUC since media reports emerged and has commenced a large‑scale inquiry. As X's EU lead regulator, the DPC's findings could trigger cross‑border enforcement and significant penalties.
read more →

Eurail Data Breach: Stolen Traveler Records Sold on Dark Web

🔒 Eurail B.V. confirmed that customer data stolen in a breach earlier this year is now being offered for sale on the dark web, and a sample dataset was published on Telegram. The company says it is still determining which specific records and how many customers are affected, but reported compromised fields may include full names, passport and ID numbers, IBANs, health details, and contact information. GDPR-required notifications have been filed and non-EU authorities will be informed. Customers are urged to change reused passwords, monitor bank accounts closely, and contact privacyhelp@eurail.com for support and FAQs.
read more →