*Reassuringly dull cyber security

no drama.

Reassuringly dull news about cyber security and data protection

Advisory Note

National Data Strategy: Blueprint for a new UK data protection regime?


Recently the government published an updated National Data Strategy. Described by the Digital Secretary as a central part of the government’s wider ambition for a thriving, fast-growing digital sector in the U.K., underpinned by public trust, its professed aim is to “drive the collective vision that will support the UK to build a world-leading data economy”.

Find out what this means for your business with our easy to follow Advisory Notes.


Luxottica suffers cyber attack disrupting operations

Luxottica, the Italian eyewear conglomerate and the world’s largest company in the eyewear industry, best known for its brands Ray-Ban, Persol and Oakley, has suffered a cyber-attack that disrupted its operations in Italy and China. Find out more here.


Investigation into Google, Apple, and Dropbox cloud services

The Italian Competition Authority has started an investigation into Google, Apple and Dropbox in relation to their cloud computing services for potentially unfair commercial practices, as well as in relation to the presence of unfair clauses in contractual terms. Find out more here.

Advisory Note

Data Protection Impact Assessment


A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.

Find out what this means for your business with our easy to follow Advisory Notes.


Talking is not covered by data protection laws

In the UK the High Court ruled that talking is not covered by data protection laws. They said that oral disclosures (in this case provided during a telephone call) do not constitute ‘data’ and consequently do not fall within the scope of the GDPR. Read more here.


Sport & cyber security

The NCSC releases new report that reveals 70% of sports institutions in the UK have suffered a cyber attack. Read more here.

Advisory Note

International cross-border transfers – FAQs

This note aims at presenting answers to some frequently asked questions (FAQs) about international (cross-border) transfers of personal data after the decision of the Court of Justice of the European Union (CJEU) on 16 July 2020. Read more here.


Government’s test and trace scheme is unlawful

The Department of Health and Social Care (DHSC) has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out a Data Protection Impact Assessment (DPIA) – an assessment of its impact on privacy. Read more here.


Record Subject Access Request fine

The Dutch Data Protection Authority (DPA) has fined an organisation, BKR, €830,000 for charging fees and discouraging individuals who wanted to access their personal data. Read more here.


The DPC issues €75,000 fine

The DPC (the Irish equivalent of the ICO) has fined ‘Tusla’, Ireland’s child and family agency, €75,000. Read more here.


Online advertising, mobile phones and privacy

Apple has just announced that when iOS 14 is launch it will require advertisers (and others, such as app developers) who want access a user’s IDFA (‘ID For Advertisers’) to obtain opt-in consent. Read more here.


Return to sender

Find out what you need to do if you’ve ever done one of these common email errors by reading this simple guidance from norm’s Data Protection Team.


Help! We’ve been breached – now what?

10:00AM BST, THURSDAY 21st MAY 2020

During this webinar we outline the measures all companies should take in order to prepare themselves for a breach. Our experts cover the people, process and data protection elements of responding to a security incident, and how to stop it becoming a crisis.


Managing and mitigating cyber risk in uncertain times

10:00AM BST, THURSDAY 7th MAY 2020

Wach Paul Cragg, CTO to find out how your business can reduce the risk and potential consequences of a cyber security breach today. This session will feature valuable tips and practical advice for any organisation that wants to mitigate cyber risk and safeguard core business functions today.


A break from the norm: GDPR & Data Protection in the context of Covid-19

10:00AM BST, THURSDAY 23rd APRIL 2020

Can an individual’s right to privacy be waived in the face of the public interest? What obligations – if any – do businesses have to provide public health authorities with information about employees who are self-isolating or have Coronavirus symptoms? Watch this session to find out the answers to these questions and more.


Speedy, simple and free – Secure home working tips

LONDON, APRIL 2nd 2020

The current Coronavirus pandemic means that many organisations are now enforcing remote working practices for the majority, if not all, of their employees. But what does this mean for your business’ cyber security.

Find out by reading this insightful article written by norm.

Advisory Note

Real Time Bidding, AdTech & Data Protection

LONDON, MARCH 2nd 2020

Advertisers are competing for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps in the UK every day by automated means.

Find out about the key data protection issues this causes with our easy to follow Advisory Notes.

Advisory Note

Accessing employee emails


Organisations often want to access the content of absent or former employees’ mailboxes for business continuity reasons, e.g. when an employee is on long-term leave, has left, or is deceased.

Find out if this interferes with their right to privacy with our easy to follow Advisory Notes.

Advisory Note

Using Biometric Data


The use of biometric data in an employment context is increasingly common for security reasons and fraud prevention. However, all organisations using or considering using biometric data for these purposes should be aware that the processing of biometric data in accordance with the GDPR can be, and very often is, very challenging and may expose them to significant risks of a data breach.

Understand what it could mean for your business with our simple Advisory Notes.

Advisory Note

Data Protection & Directors Personal Liability


It is undeniable that the increasing risk of a data breach or other data protection failure affects practically every business. These increased risks can translate into personal liability for directors in a number of ways. It is therefore imperative that directors of organisations familiarise themselves with the potential liability they face.

Find out what this means for your business with our easy to follow Advisory Notes.

Advisory Note

The California CPA and you


On 1st January 2020, the California Consumer Privacy Act (CCPA) came into force.

The CCPA is a new data privacy and consumer protection law designed to give people in California more control over their personal data and ensure that businesses are transparent with their data processing activities.

Find out what this means for your business with our easy to follow Advisory Notes.


ThinkMarble becomes norm.


ThinkMarble Limited has rebranded as ‘norm’ – offering ‘reassuringly dull Cyber Security’ in a move to demystify the market.


One YMCA appoints norm.


Following a rigorous evaluation process One YMCA has selected norm’s specialist Data Protection as a Service solution.


The House of Garrard appoints norm.


NormCyber Limited has been appointed specialist Data Protection as a Service (DPaaS) provider to the iconic jewellers Garrard & Co.

Advisory Note



One of the central aims of the GDPR is the facilitation of the free flow of data between all countries in the EEA. In practice this means that, currently, personal data can be transferred between organisations in the UK and the EEA without any specific or additional security measures needing to be put in place.

However, a ‘no-deal’ Brexit will mean the principle of the free flow of personal data will no longer apply and the UK
will be in the same position as virtually any other country outside the EEA.

Find out what this means for your business with our easy to follow Advisory Notes.

Advisory Note

Claims for compensation for data breaches


The Court of Appeal’s landmark decision in the case of Lloyd v Google could be summarised as “You breach, you pay”.

Understand what it could mean for your business with our simple Advisory Notes.


David Perez appointed as new CEO

Thursday 10th October 2019 ThinkMarble Limited is pleased to announce that it is making a leadership change to underpin its exciting growth plans. David Perez has joined the UK based Cyber-Security-as-a-Service (CSaaS) business as CEO and replaces Andy Miles who is the Founder and now former CEO of the business. Andy will remain heavily involved…


Suprema data breach

The Suprema data breach, in which researchers say they discovered the fingerprints, voice data, facial images, unencrypted usernames and passwords of more than one million people was publicly available, has drawn the condemnation of security experts and data privacy experts. Read what Norm’s Director of Legal Services, Robert Wassall, told Verdict about the possible implications…


Monzo PIN breach

Read what Norm’s Director of Legal Services, Robert Wassall, told Verdict about the possible implications of the Monzo case.


ThinkMarble service available on G-Cloud 11

LONDON, JULY 2nd 2019

ThinkMarble, the world-class, component-level, end-to-end, Cyber Security Operator, today announced its services are now available to public-sector bodies via the latest Crown Commercial Service (CCS) framework, G-Cloud 11.


Wright joins ThinkMarble in new Operations role

LONDON, UK – Monday 21st January 2019Think Marble is pleased to announce that, as part of its growth strategy, it has appointed Demyon Wright to the new role of Operations Director within the business. Demyon joins ThinkMarble with nearly 15 years of experience as a Head of Service Management in the industry and an impressive…

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group