Monday, 19th of May 2025
A significant amount of personal data from those who applied for legal aid since 2010 has been stolen.
Details such as contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments are very likely to be compromised.
The government took immediate action to bolster the security of the system, and informed all legal aid providers that some of their details, including financial information, may have been compromised.
---
Newcastle based sole trader Darian Bishop was fined £50,000 by the ICO due to making over 194,000 unlawful marketing calls to people on the UK’s ’do not call’ register.
People reported the calls as “dishonest”, “threatening” and an “invasion of privacy.”
It is currently against the law to make marketing calls to people who have been registered on the Telephone Preference Service register (TPS) for more than 28 days, unless they have explicitly consented to receive the calls.
What can you do if you to prevent spam marketing calls?
• Register landlines and mobile numbers with the Telephone Preference Service (TPS).
• Report the receipt of unsolicited marketing text messages to the Mobile UK's Spam Reporting Service by forwarding the message to 7726.
• Complaints about nuisance calls, texts or emails can be made to the ICO directly.
---
Co-op was hit by the same ransomware hackers as M&S, resulting in data loss, empty shelves and compromised orders.
In an effort to deal with this attack, the Co-Op IT department made the decision to take their computer services offline. According to the BBC, cyber experts like Jen Ellis from the Ransomware Task Force said the strategic response from Co-op was sensible.
---
Marks & Spencer has revealed that some personal customer data has been stolen in the recent cyber attack, which could include contact details and dates of birth.
M&S was hit by the cyber attack three weeks ago and is struggling to get services back to normal, with online orders still suspended.
---
In a letter from May 6th, the European Commission proposed to exempt certain organizations from GDPR's record-keeping requirements (ROPAs of Article 30) if they met all these criteria:
1️⃣ Fewer than 500 employees
2️⃣ No high-risk processing activities
3️⃣ Only processing special categories of data
The EDPB and EDPS have responded to the EU Commission via the letter below, raising legitimate questions about balancing data protection with organizational interests and advocating for a risk-based approach. For instance, a company that processes highly sensitive data, even if employing fewer than 500 people, is still operating with high-risk data and needs to make sure that all measures are in place to protect these sensitive records.
At ALLNET Law we would like to offer a practical perspective:
Even if you as a company qualify for this exemption, maintaining basic processing records remains a smart business decision.
Why?
When a regulator knocks on your door demanding details about your data processing practices with a tight deadline, without organised records, you will face:
• Company-wide disruption while scrambling to gather information
• Potential external consultancy costs
• Heightened compliance risk
• Rushed, possibly incomplete responses
The answer is clear: small, consistent investments in your privacy program cost significantly less than scrambling to address unexpected regulatory inquiries with potential enforcement consequences.
Don't view record-keeping just as a regulatory burden—it's also practical risk management that protects your business.
Click below to find out more about how you can ensure your business thrives
