Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Back in 2018, it’s fair to say that there was a degree of panic within many businesses, charities, and other organisations as the GDPR became law across the EU and EEA (including the UK). Among much else this led to barrages of emails asking for consent, many of which shouldn’t have been sent. Fast forward to 2023 and there’s still confusion, misinformation (and sometimes still panic) amongst business when it comes to the GDPR. There are also more specific challenges on the horizon: is GDPR keeping up with AI and technology, and will the UK soon be abandoning GDPR altogether?
The GDPR didn’t just come out of nowhere, so to find out how we got here, we need to rewind time to 2016, the 2000s, 1990s, 80s and even the 50s!
Let’s begin in 1953. The European Convention on Human Rights (ECHR) became binding on all Council of Europe member states. Article 8 provides a requirement to respect the right to privacy in private life. This has been tested repeatedly over the and formed the basis for constitutional articles and rights declarations far beyond Europe.
In 1981, Convention 108 of the Council of Europe was signed. This was intended to address Article 8 of the ECHR. It set out some basic binding principles on automatic processing of personal data and is often considered the first major step towards modern data protection laws – it remained the only internationally legally binding instrument on the protection and privacy of personal data for four decades!
Then in 1995, the Data Protection Directive was enacted by the EU. In the UK, this became the Data Protection Act 1998. This defined requirements for transparency, purpose limitation, proportionality, internal and international transfers, and the requirement for a supervisory authority (such as the UK’s Information Commissioner’s Office) among others. It was intended to ensure the free flow of data within the EU but prevent risky transfers to other countries, and to ensure that there was an avenue for individuals to challenge the use of their data, or at least get a copy of it.
In 2003, the ePrivacy Directive became law as the Privacy and Electronic Communications Regulations (PECR) in the UK. This strengthened protections in electronic communication, particularly the security of communications networks and the use of data for marketing purposes. This set new requirements for consent to direct electronic marketing, including phone calls in many situations. It requires that preference lists such as the Telephone Preference Service (TPS) are checked and honoured. And yes, it did bring about the requirement for cookie notices on websites – long before the GDPR! It also covers non-cookie tracking technologies such as tracking pixels or graphics in emails. PECR is often overlooked and we’ve written a separate blog about it – well worth a read.
I appreciate that this is called 5 Years of GDPR and so far we’ve talked about everything except GDPR. But bear with me. GDPR was ratified in 2016, and the key requirements were known about even in advance of that. So, when we say that in 2018 there was something of a state of panic on the topic, there had been two whole years to prepare at that point! GDPR didn’t come out of nowhere. In those two years the GDPR was hailed as the biggest boon to individual rights to date, and at the same time condemned as the biggest threat to business. As with many things, the truth is somewhere between those two positions – but not necessarily always in the middle.
In the UK, the Data Protection Act 2018 was added alongside it. This brings together GDPR, elements of PECR, and other legal bits and bobs. It also has requirements of its own that flew under the radar for years, such as the need to have an Appropriate Policy Document (APD) for processing the sensitive data of employees.
Obviously the biggest GDPR headlines have been fines and compensation. While there have been dramatic headlines, with Meta's total fines under GDPR in the region of €4bn, the fines have not been nearly as impactful as some of the worst fears (or depending on perspective, hopes) of 2018. In the UK, public sector organisations are more likely to be given a reprimand rather than a fine for instance.
As for compensation, this has been far lower than many anticipated. For instance, in one jurisdiction, loss of control of data to the US was set at €100 per person, tempering the threat of group litigation orders (AKA class actions) for the more humdrum failings.
Despite the GDPR routinely (and wrongly) being seen as an encumbrance, many of its requirements make sense for sound business and management reasons. For example, the requirement to maintain Records of Processing Activities (RoPA) under Article 30 can reduce time needed from business analysts when scoping projects. Data Protection Impact Assessments (DPIAs), reduce time misspent on projects which are not appropriate, legally viable, or necessary.
Get one-off or on-going support with all things data protection and GDPR from our friendly, experienced data protection consultants.
This brings us to profiling and automated decision making. This could scarcely be a hotter topic in 2023. These rights apply not only to black box AI solutions but also apply to profiling based on a person’s characteristics. There’s a misconception that these are blocked by GDPR. On the contrary, it is acknowledged that automated tools and classifying people on common attributes, can, in the right circumstance, be immensely valuable. For instance, the insurance industry could scarcely function if they were genuinely blocked from profiling. What GDPR does do is require that safeguards are in place, that the impacts are assessed, and risks managed. This means conducting a DPIA, creating a plain language explanation of the processing, or potentially, the option for a human decision maker. These rights also only normally apply if they have significant effects, such as access to employment, goods and services, pricing, and the like.
Controllers utilising these tools should account for inherent bias. For instance, if a CV analysis tool is trained by looking at who were successful in the past, this may build-in a gender bias that currently exists in the workplace. However, it provides the opportunity to reduce human bias if this is addressed as part of the design and testing of the tool.
There are of course massive risks to people, to businesses, and even to nations from AI tools. Whether this be from a car safety system that can recognise a pedestrian and a cyclist, but not someone wheeling a bicycle, a large language model that crams government consultations with AI produced responses, or an AI logistics system exploited by cyber criminals.
It is for these reasons that new regulation is being developed, intended to bring a degree of accountability to developers, setting standards for safeguards and human oversight, while still facilitating the effective use of these powerful tools.
As a test, I took the liberty of asking ChatGPT to write a blog on five years of GDPR. Unfortunately, while the output was well written and had a veneer of plausibility, the accuracy was genuinely terrible. It stated that explicit consent is always necessary, in reality, consent is often highly inappropriate as there is a contract or a service being provided. It would be a bit of a problem if the police required explicit consent to process the data of suspects! I suspect that this was derived from some terrible articles that were being reposted on the internet in 2018 that led to businesses seeking consent they shouldn’t have been. It had other inaccuracies on cookies, the right of access, when to report data breaches, and even wrongly said that data subjects have an absolute right to have their data deleted.
It's also been highlighted that large language models like ChatGPT can result in data leakage. For example, developers using it to assist in coding and testing, discovered were inadvertently training the model and so, their proprietary code was available to anyone who asked the model the right questions.
Just in time to celebrate 5 years of GDPR, there’s news that UK may be abandoning it, sort-of. In the UK, there is a new bill before Parliament, the Data Protection and Digital Information (No 2) Bill. Or the ‘DPDI’ to you and me. If enacted as written at present, this will mark the start of the UK’s divergence from the EU data protection landscape. The DPDI is lauded by some as a saving for business or scrapping annoying cookie notices (spoiler, they’re only annoying if websites aren’t following the current rules) and feared by others as a significant blow to individual rights. This can be both at the same time. For example: there appears to be an erosion of the requirement to inform data subjects of the processing, which would make life easier to those business that handle the largest volumes of data. It is claimed that it will enable more research to take place. This is debatable as in most cases, significant research and statistical use of data is already possible, it’s just that data subjects may be able to object or opt-out depending on the circumstances (e.g., the NHS National Data Opt-out). Perhaps the biggest risk in the Bill comes from reduced protections in relation to profiling and automated decision making.
If the UK were to kill the GDPR and adopt the DPDI, businesses who provide services in the UK and the EU would need to support separate data protection standards. If the DPDI failed the EU’s tests for an adequacy decision, then that’s also more work in maintaining SSCs and BCRs, and possibly lost business, particularly in the health and education sectors. This extra work could easily outweigh any potential savings the DPDI is likely to bring.
Be it for complying with existing laws, assessing the impact of planned laws, or working out how to tread the line of ethics and business benefit, having the right guidance and support is key to every business. Your advisors should have the skills and experience in all aspects of data protection and the resources to assist. An independent adviser or DPO can often bring the advantage of wider industry knowledge, security resources, and inter-industry experience while maintaining an understanding of your business, its challenges, and needs. Regulations always change as they react to technology and politics. Your business can’t afford to be left behind.
Richard is a seasoned senior GDPR and data protecton consultant who uses his experience in GDPR compliance to write with passion and insight on GDPR and data protection. Heading up Bulletproof's GDPR team, he makes sure that our services and individual data protection consultants are all at the top of their game.
Take the easy route to staying on top of data protection and GDPR with flexible support from a Bulletproof data protection officer
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.