Data Protection News Roundup – November

Welcome to November’s edition of our Data Protection monthly news roundup. Read on to find out what’s new in the world of data protection, as well as updates on all things iSTORM.

Projects 

October saw the continuation of several projects from the previous month, as well as a variety of new ones starting, including:

  • DSAR Support with considerations around exemptions under the act and large-scale redaction.
  • RoPA review for a National Housing Association.
  • International Policy Reviews for Global business
  • GDPR training pack voice over provided to the client for internal training use.
  • GDPR committee meetings conducted and led for multiple clients.
  • Privacy Notice information updated for a business processing in multiple US states.
  • AI Policy review for client.

If you would like any more information about the above services, or on anything covered in this month’s newsletter, or you have a query, please reach out to us anytime!

News

Capita Fine

London based outsourcer, Capita, has been fined £14 million by the UK Information Commissioner’s Office for a major data protection failure linked to a 2023 cyberattack that exposed the personal data of more than 6.6 million people. The breach was caused by Capita’s delayed response after a malicious file was detected, allowing attackers to extract sensitive information including pension and criminal records. The fine was reduced from an initial £45 million following Capita’s cooperation and its implementing of various improvements.

Source: PDP

 

SAR Failures

It is a legal obligation for certain financial firms in the UK to comply with the Bank of England’s Operational Resilience Guidelines. These rules are enforceable under the regulatory frameworks of the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) and is mandatory for businesses regulated by them.

The type of business that this will relate to include banks, building societies, insurers and investment firms. 

 

Framework

A GDPR-compliant framework is essential for ensuring the lawful, fair, and transparent handling of personal data. The GDPR mandates strict obligations around data collection, processing, storage, and deletion, with penalties for non-compliance. A robust framework not only protects individuals’ privacy rights but also builds trust with customers, employees, and stakeholders. It demonstrates accountability and helps organisations avoid reputational damage, legal disputes, and financial penalties that can arise from data breaches or misuse.

A GDPR-compliant framework typically includes several key components: clear data governance policies such as a Privacy Policy, Breach Policy, etc. lawful bases for processing personal data. Mechanisms for obtaining and recording consent, procedures for handling data subject rights. Robust security measures to protect data. It also involves maintaining records of processing activities, conducting DPIAs where necessary, appointing a DPO if required, and ensuring third-party vendors meet compliance standards. Regular training, audits, and updates to policies are vital to maintain accountability.

It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is, and what you do with it makes it much easier to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle. The ICO may require you to provide these records to them. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.

Talk to us about what support we can provide!

 

Horizon Scan: Data Protection, Penetration testing & ISO27001

Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.

Horizon Scan – Nov 2025

 

Meet the Team…

Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries. 

We are really excited to welcome the newest member to our brilliant team of Data Protection Consultants! Kielee has a wide range of experience, working as a consultant for a high street building society for over 7 years and focusing on all aspects of account management.

 

More from iSTORM?

We can offer services including:

  • GDPR/ Data Protection gap analysis and maturity reviews
  • Auditing
  • GDPR framework implementation support
  • Outsourced Data Protection Officer Services (DPO)
  • Data Protection Impact Assessments (Review & Completion)
  • Data Flow Mapping
  • Supplier Assurance Frameworks
  • Policy and procedure writing
  • Training and awareness (online and face to face)

We hope you have enjoyed this months data protection news roundup. For more information on any of the above, please email us at info@istormsolutions.co.uk or call +44 (0) 1789 608708

 

 

Verified by MonsterInsights