Posted on

Business Centre Break-In and Data Protection

Padlock | Cybercrime Legal Services

Business Centre Break-In and Data Protection

If your business experienced computer theft, would the data you hold be safe?

The recent break in at Chichester Enterprise Centre is, sadly, one of many that happen daily across the UK. But this is more than an unfortunate inconvenience for the businesses based in the building. The implications can be astronomical. When computers are stolen data is immediately put at risk. Following the new General Data Protection Regulation (GDPR) legislation that came into force in the UK in May 2018, businesses and organisations, big and small, have an obligation to keep data safe.

Your obligations under GDPR

The introduction of GDPR saw the most important change in data protection law in 20 years. With it came new obligations and duties which organisations of all sizes are required follow to keep data safe. So, what do you need to do if your business ‘computers get stolen? How safe is the data stored on them? Is your business covered by cyber insurance?

Unfortunately, a staggering 60% of small to medium-sized businesses who experience a Cyber attack following a data breach. are forced to liquidate within 6 months of being Attacked!

The good news… this is preventable!

Would your business be covered if you suffered data theft?

If your business stores personal data such as names, email addresses, addresses, medical data or banking information, you need cyber liability insurance.

If your business relies on computers, communicates using electronic methods or has a website, you need cyber liability insurance.

If your business collects payments using a merchant card facility, you need cyber liability insurance.

Without this insurance, you could find your business facing both financial and reputational consequences.

A final word on GDPR and small businesses

GDPR legislation affects every business in some way. You might think your business is too small and is therefore immune to the new law, but you may be surprised. If your organisation has a website – and let’s face it, most do – you have legal obligations! You must display the correct legal documentation on your site for visitors to access and understand. Failure to do this could result in your business breaking the law, and ultimately receiving a fine or other punishment. It is far better to be prepared and to limit your liability in the first place.

Speedy action by Chichester Police force has resulted in the arrest of those responsible. Our thoughts are with those affected by the recent break-in at Chichester Enterprise Centre.  If we can be assistance in anyway please contact Owen Costen Head of Compliance Services.



Posted on

Do we need a Data Protection Officer?

DPO Note | Cybercrime Legal Services

Do we need a Data Protection Officer?

In 2018 we saw one of the biggest updates to data protection law in years, the General Data Protection Regulation (GDPR). With it came new obligations and duties which organisations of all sizes must follow.

One prominent update was the introduction of a duty to appoint a Data Protection Officer (DPO) if a company fulfils certain criteria.

Who is legally required to appoint a DPO?

Under new data protection law, a company or business must appoint a DPO if:

  1. They are a public authority/body as defined within Section 7 of the Data Protection Act 2018;
  2. Their primary activities (those being, the processing of personal data needed to achieve the key objectives of the company) require large scale, regular and systematic monitoring of individuals (such as online behaviour tracking); or
  3. Their primary activities require large scale processing of special categories or data, or data which related to criminal offence and convictions.

What is ‘large scale’? Whilst the law doesn’t define exact figures, it states a business must, when determining whether the process is on a ‘large scale’, consider:

  • The number of data subjects concerned;
  • The volume of personal data which will be processed;
  • The geographical reach of the activity;
  • The duration of the activity; and
  • The range of different items of data being processed.

Even if a business does not fulfil these criteria and does not legally need to appoint a DPO, it must ensure it is sufficiently staffed and resourced, with the applicable knowledge on hand, to fulfil its obligations under GDPR and other relevant data protection law. Since a DPO can monitor a business’s compliance and provide advice and support in fulfilling compliance, it is best practise to appoint a DPO even if not legally required to.

If a business voluntarily decides to appoint a DPO, they must abide by the same standards as a business legally required to appoint a DPO. If a business decides not to appoint a DPO, this decision and the reasoning behind it should be documented to demonstrate compliance.

What is a DPO?

A DPO will assist the company to monitor internal compliance with data protection legislation and guidance, and most importantly to inform and advise on the company’s obligations. A DPO will also provide any data subjects (a person for which the company holds personal information about) with a point of contact for any requests or concerns.

Their role will include organising staff training, raising awareness within the company of data protection issues, conducting internal audits, reviewing data protection policies and cooperating with the supervisory bodies.

Who can be a DPO?

A business can appoint an existing employee to be their DPO, or they can appoint someone externally. They must however, be completely independent with sufficient expertise in data protection and provided with adequate resources.

A DPO must be appointed based upon their professional qualities, particularly their experience and expertise in data protection law. Whilst the exact credentials expected of a DPO are not laid out by GDPR, a DPO is expected to have proportional experience and expertise to the level of protection the personal data will require. For example, if the personal data and processing of it is particularly risky or complex, the DPO’s knowledge should be appropriately advanced.

A DPO can have other roles within a company or businesses too, but they must not pose a conflict of interest with the DPO’s primary tasks and responsibilities. As DPO they must report to the highest management level at the company.

For small businesses or charities without the resources or knowledge in house to fulfil the requirements of a DPO, an external service is a useful solution to comply with GDPR. We provide an affordable service to enable all businesses and charities small to large with an expert and professional DPO. Read more here or get in touch for our packages and quotations.

Does a business have to follow the advice of their DPO?

A business does not have to always follow the advice of their DPO, however the decision and the reasons for making it must be documented to demonstrate accountability and compliance.

The DPO is not personally liable for data protection compliance, the company as the controller or processor remains liable to comply with relevant law.

Do the DPO’s details need to be published?

Data protection law requires a business to publish the contact details of their DPO and to provide them to the ICO. Details can be registered here.

Need more guidance?

Get in touch with our experts by contacting us at or , and we will be happy to help.

Posted on

Cybercrime Services supports Effective Treatment Africa this World AIDS Day

WORLD AIDS DAY | Cybercrime Legal Services

Cybercrime Services supports Effective Treatment Africa this World AIDS Day

36.9 million people are currently living with HIV around the world, including 1.8 million children. A quarter of these people are unaware of their status, meaning they are not accessing the essential treatment they need.

Since the epidemic began, 77.3 million people have contracted the virus, and 35.4 million people have subsequently died of AIDS-related illnesses, 940,000 of those deaths occurring in 2017.

South Africa has the highest population of people living with HIV, over 7.2 million people, including 280,000 children under 14 years old. Sadly, only 58% of those children are receiving life-sustaining treatment. There are a range of reasons why 42% of children living with HIV are not receiving the treatment they need. These reasons include HIV stigma, a lack of education, fear of getting tested, no access to treatment and many more.

This World AIDS Day, Cybercrime Services is supporting South African charity, Effective Treatment Africa. This December, the charity is raising funds for a school-based educational program aiming to reach 4000 children in 2019. The program involves speakers living with HIV visiting schools and addressing the facts about HIV/AIDS whilst telling their own personal stories to bring stigma to the forefront of the conversation. Children will gain the knowledge needed to make safer and informed decisions about their bodies and their futures, to seek medical advice and treatment and to pass that knowledge onto the wider community.

To support Effective Treatment Africa, Cybercrime Services will be donating 10% of its profits made in December this year to the latest program campaign, plus a £100 donation on World AIDS Day to kick off the fundraising.

We invite other businesses and individuals to support a charity on December 1st, and spread the word of this incredibly important day for the global epidemic.

If you would kindly like to join us in supporting this project, you can make a donation to the campaign at

Tell us what you are doing this World AIDS Day on Twitter, Facebook and LinkedIn.

Posted on

What legal documents does a website need?

People holding document | Cybercrime Legal Services

What legal documents does a website need?

Every business with a website, must ensure they have the correct legal documentation on their website for their visitors to access and understand. Without these documents, the businesses may break the law, face fines or other punishment, or fail to limit their liability.

In a world where online scams are on the increase, having these documents adds credibility to a website and a business. Customers can become informed about how the business will keep their data safe, and trust in its transparency and customer service. This trust can earn the loyalty of customers and keep businesses ahead of the competition.

1.     Privacy Policy

All businesses, charities or sole traders processing, using, storing or sharing personal data must provide the individuals to which that personal data relates, with information about how that data is used. It has been law under the Data Protection Act, and now further requirements have been layered on top by the new General Data Protection Regulation. These requirements can be sufficiently fulfilled by providing customers, clients, service users and other individuals with a Privacy Policy, also known as a Privacy Notice.

Providing privacy information is not only fulfilling a legal requirement, but it is also a fantastic opportunity for a business to demonstrate high standards, trustworthiness, honesty, transparency and good customer service; to build a strong relationship with individuals so that they will continue to use its services or purchase its products.

In order to succeed in achieving this however, the Privacy Policy must be legally compliant, factually reliable, 100% bespoke to the businesses processes, in-keeping with the style of the website and marketing tone of voice, written for its audience (especially if they are children, parents or elderly) clear, easy to understand and transparent.

2.   Cookie Policy

The Privacy and Electronic Communications Regulation requires businesses to provide “clear and comprehensive” information about how particular cookies are used, whilst obtaining consent from the visitor to use them.

This information includes explaining the way the cookies are used and what they are used for in a way visitors can access easily and understand.

Whilst the law doesn’t specify exactly what information must be provided, many businesses and charities exhibiting best practise provide the name, category, purpose and lifetime of the cookie, so their customers can make informed decisions about whether to accept cookies when visiting their website.

3.     Website terms of use

Also known as Terms and Conditions, these terms limit the businesses liability by setting out the legal rights and obligations of the business and the visitor. This document’s roles include, explaining how visitors are expected to use the website, restricting the actions of visitors to protect the website and business and limit the liability of the business.

Get compliant

Here at Cybercrime Services we specialise in producing bespoke website legal documentation for businesses of all sizes. Just visit our legal services page for prices and further information.

Posted on

10 Tips for Preventing a Cyber Attack on your business

Woman on computer | Cybercrime Legal Services

10 Tips for Preventing a Cyber Attack on your business

1. Understand cyber criminals

Cyber criminals have a wealth of different ways they can access, steal or damage your assets. Knowing the different methods they use is key to understanding how to protect yourself. Examples of these methods include phishing emails loaded with malware, unauthorised access through devices and systems and gaining information from staff to deceive them.

2. Train your staff

You’ve heard the saying ‘a chain is only as strong as its weakest link’. 80% of cyber attacks on businesses were preventable, mostly caused by a lack of staff training. Make sure every member of your staff has been trained, for example, to use systems correctly, to update their devices when instructed and to recognise cyber crime attempts.

3. Preserve your data

Make regular back-ups of your important data and conduct checks to ensure the back-ups can be restored should you need to recover corrupted or stolen data. Keep the back-up separate from the original systems and consider storing a copy in a cloud-based location. Should a hacker hold your vital data to ransom and demand payment for its recovery, you can refuse knowing you have it stored safely elsewhere.

4. Be smart whilst working remotely

If your staff ever work remotely or may access company data, systems or accounts remotely, you should have a relevant policy in place. Key restrictions include never using public Wi-Fi networks, keeping portable devices updated, using complex passwords or fingerprint technology to access devices and set them to be tracked if stolen or lost.

5. Prevent malware damage

Use antivirus software on all computers and laptops, as well as on on portable devices where possible. Ensure you use only reputable and approved providers of this security. Updates are developed regularly for software and devices to continue to prevent new malware and viruses from breaching your firewalls. Make those updates to all devices when prompted, and ensure your firewalls are switched on.

6. Restrict removable media devices

USB sticks, portable hard drives and SD cards can all carry dangerous viruses and software, which can quickly spread from one computer to all devices. Consider introducing a policy on the use of such removable media devices and restrict their use. Transfers of files can be safer through cloud platforms.

7. Don’t punish staff

A crucial step to protecting your assets in the event of a cyber attack is reporting it in time to act. Don’t punish staff if they are caught out by an attempt by a cyber criminal, it will discourage staff from reporting it in the future, which may lead to more damage than necessary. If you suspect a successful attack has occurred, immediately change all passwords and begin scanning for malware.

8. Avoid a phishing attack

Millions of phishing emails are sent every day and many can be very convincing. The obvious signs to look out for include poor grammar and spelling, poor quality graphics and logos, and unfamiliar sender email addresses. Even if you know the sender personally, check their email address is one you have safely communicated with them previously. If an email contains links, especially links to sign in to an account or provide personal information, avoid using them and go to the website independently. Never open an attachment if you are not sure the email is legitimate.

9. Protect your passwords

With the UKs most common passwords including 123456, password and Qwerty, cyber criminals are quickly able to gain access to our accounts and devices with little effort. The recommended formula for a safe password is three random words, including numbers and symbols. For example L0ND0NAPPL@B3@CH. Do not enforce regular password changes, they only need to be updated in the event a successful attack is suspected.

10. Control access to data

It is unlikely that all staff need access to all drives and folders for all departments of your company. It is easier to keep data secure if staff only have access to the data they need to access, and if you have a record of who has permissions to access which files. It is also vital that permissions are removed, accounts suspended and passwords change once a staff members employment comes to an end.



Posted on

Know your data protection rights

Cyber Safety & Data Protection

Know your data protection rights

The modern consumer is more easily lured away from sense and logic by the growing frenzy of “up to 70% off”, “free month for new customers”, and other lucrative and desirable siren calls of the internet.

An attractive price or offer can often detach us from the otherwise conscious protection of the data we are handing over about ourselves. Name, email address, phone number, home address and payment information are all details we trade almost on a daily basis in exchange for a product or service. To the receiver of the data however, it is worth much more than a ‘one-off’ sale. It can be used to market to you in a relentless attempt to entice further funds from your grasp, traded with other companies or sold to the highest bidder. Many companies will guard your data with good intentions, others may favour cost-cutting over your protection, the perfect victims for hackers and fraudsters.

Ever had a fraudulent phone call purporting to ‘fix your computer virus’? Ever been bombarded with marketing materials by phone, text, post, email – maybe even from a company you have never contacted before but provide related services to those companies you have bought from? Or is your email inbox rife with illegitimate invoices, account alerts or refunds?

Our complacency for handing over our personal information without doing basic research into who we are handing it over to, is increasing with every frivolous purchase or subscription.
But have no fear, help is at hand to translate that jargon filled legislation into rights you can understand how to protect. I head up the Legal Department at CyberCrime Services, where we aim to spread knowledge so you are armed to defend yourself against wrongdoing. When your data is held on a computer, on paper, or made up of photos, video or voice recording, you have extensive rights. These rights increased on 25 May 2018 when the General Data Protection Regulation (GDPR) was enacted into law in the UK.

1. Right to be informed

When your personal data is collected, the party collecting it should inform you about how and why the data is to be collected and used. This information should be easy for you to understand, concise, transparent, intelligible and easily accessible. If your personal data is being collected directly by the party using it, they should provide you will this information at the time of collection. If however, a third party collects the data (for example, Eventbrite collect your data for the organisers of the event when you sign up), then you should be given this information when the party using your data first contacts you

2. Right to access your personal information

You can request to have access to all the personal data a company has which relates to you, including recorded opinions, unless there is an overriding interest not to grant access, such as an ongoing investigation. You are entitled to know the reasons your data is being processed (‘processed’ means stored and used) and whether it will be shared to other companies. This request must be made in writing, and can incur a small fee (usually £10) until the GDPR comes into force which requires requests to be free. The company must respond within 40 days, however GDPR will reduce this to 1 month.

3.Right to object to your data being processed if likely to cause distress

You have the right to request the company stop or prevent processing your data if it causes unwarranted and substantial damage or distress. You have to explain why it has that effect and there are some exceptions. You do not have this right if you consented to the processing, if the processing is essential for the fulfilment of a contract you entered into or want to enter into, if the processing is necessary because of a legal obligation or to protect your ‘vital interests’.

4.Right to prevent processing for direct marketing

You can at any time ask a company in writing to stop or never use your personal data for direct marketing. Direct marketing is marketing directed at you personally by phone, email, post or text, rather than generic junk mail which is not addressed to a particular person. The company must stop direct marketing within a reasonable time of receiving your request, this is deemed around 28 days for electronic communications and 2 months for postal.

5.Right to object to automated decision making

I know what you’re thinking, what an earth is this? An example is if you apply for a loan through a website which uses algorithms and auto credit searches to give you an immediate automated decision. You can give written notice to stop or prevent a company making automated decisions with your personal data, or ask them to reconsider a decision made by automated means. You have 21 days to request an automated decision be reconsidered or a new decision made on a different basis. You also have a right to be informed when a decision made is automated. Some automated decisions are exempt from this right. The exemptions include those automated decisions required/authorised by legislation or made in preparation for a contract with the concerned individual, and are to give the individual something they have asked for, or if steps have been taken to protect the interests of the individual by, for example, putting an appeal process in place.

6. Right to have inaccurate personal data rectified, blocked, erased or destroyed

If a company has your personal information incorrect, you have a right to get it rectified, blocked, erased or destroyed. If this cannot be resolved between you and the company, you can make these requests to the court. If the incorrect information caused you damage, you are entitled to compensation. This does not apply however, if you or another organisation provided the incorrect information and it was recorded accurately.

7. Right to claim compensation for breach of the Data Protection Act

If you have suffered damage as a result of a company breaching the Data Protection Act, you are entitled to claim compensation through court. There is no guidelines suggesting the amount of compensation that can be awarded, however if an amount cannot be agreed between you and the company, the court will decide the amount.

8. Right to be forgotten

Also known as Data Erasure, this right will not provide an absolute right to be forgotten. It applies to data which is no longer needed for the purposes it was originally collected, data for which you have withdrawn consent or have objected to processing (if there if no overriding legitimate interest for the company to continue processing the data), data which was unlawfully processed, data which must be erased to comply with a legal obligation. Finally, it applies to personal data processed in relation to the offer of information society services to a child.

9. Right to data portability

The right to data portability will give you the right to use the data one company holds about you for your own uses or across multiple services. This right allows data to be transferred from one IT environment safely and securely to another. It only applies to personal data which an individual has provided, where the processing is based on the individual’s consent or for the performance of a contract, and when the processing is conducted by automated means. This information must be provided to you for free, in a commonly used and machine readable form, and within one month of your request.

So there you have it! But don’t forget, there are fraudsters out there who don’t play by the rules! Make sure to know the warning signs of fake companies and fraudulent communications. Follow CyberCrime Services on Facebook and Twitter for regular updates on trending scams, so stay one step ahead of the criminals. For more information about your rights, or for our legal services, get in touch at