*Reassuringly dull cyber security

no drama.

Reassuringly dull news about cyber security and data protection


Talking is not covered by data protection laws

In the UK the High Court ruled that talking is not covered by data protection laws. They said that oral disclosures (in this case provided during a telephone call) do not constitute ‘data’ and consequently do not fall within the scope of the GDPR. Read more here.


Sport & cyber security

The NCSC releases new report that reveals 70% of sports institutions in the UK have suffered a cyber attack. Read more here.

Advisory Note

International cross-border transfers – FAQs

This note aims at presenting answers to some frequently asked questions (FAQs) about international (cross-border) transfers of personal data after the decision of the Court of Justice of the European Union (CJEU) on 16 July 2020. Read more here.


Government’s test and trace scheme is unlawful

The Department of Health and Social Care (DHSC) has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out a Data Protection Impact Assessment (DPIA) – an assessment of its impact on privacy. Read more here.


Record Subject Access Request fine

The Dutch Data Protection Authority (DPA) has fined an organisation, BKR, €830,000 for charging fees and discouraging individuals who wanted to access their personal data. Read more here.


The DPC issues €75,000 fine

The DPC (the Irish equivalent of the ICO) has fined ‘Tusla’, Ireland’s child and family agency, €75,000. Read more here.


Online advertising, mobile phones and privacy

Apple has just announced that when iOS 14 is launch it will require advertisers (and others, such as app developers) who want access a user’s IDFA (‘ID For Advertisers’) to obtain opt-in consent. Read more here.


Return to sender

Find out what you need to do if you’ve ever done one of these common email errors by reading this simple guidance from norm’s Data Protection Team.


Help! We’ve been breached – now what?

10:00AM BST, THURSDAY 21st MAY 2020

During this webinar we outline the measures all companies should take in order to prepare themselves for a breach. Our experts cover the people, process and data protection elements of responding to a security incident, and how to stop it becoming a crisis.


Managing and mitigating cyber risk in uncertain times

10:00AM BST, THURSDAY 7th MAY 2020

Wach Paul Cragg, CTO to find out how your business can reduce the risk and potential consequences of a cyber security breach today. This session will feature valuable tips and practical advice for any organisation that wants to mitigate cyber risk and safeguard core business functions today.


A break from the norm: GDPR & Data Protection in the context of Covid-19

10:00AM BST, THURSDAY 23rd APRIL 2020

Can an individual’s right to privacy be waived in the face of the public interest? What obligations – if any – do businesses have to provide public health authorities with information about employees who are self-isolating or have Coronavirus symptoms? Watch this session to find out the answers to these questions and more.


Speedy, simple and free – Secure home working tips

LONDON, APRIL 2nd 2020

The current Coronavirus pandemic means that many organisations are now enforcing remote working practices for the majority, if not all, of their employees. But what does this mean for your business’ cyber security.

Find out by reading this insightful article written by norm.

Advisory Note

Real Time Bidding, AdTech & Data Protection

LONDON, MARCH 2nd 2020

Advertisers are competing for available digital advertising space in milliseconds, placing billions of online adverts on webpages and apps in the UK every day by automated means.

Find out about the key data protection issues this causes with our easy to follow Advisory Notes.

Advisory Note

Accessing employee emails


Organisations often want to access the content of absent or former employees’ mailboxes for business continuity reasons, e.g. when an employee is on long-term leave, has left, or is deceased.

Find out if this interferes with their right to privacy with our easy to follow Advisory Notes.

Advisory Note

Using Biometric Data


The use of biometric data in an employment context is increasingly common for security reasons and fraud prevention. However, all organisations using or considering using biometric data for these purposes should be aware that the processing of biometric data in accordance with the GDPR can be, and very often is, very challenging and may expose them to significant risks of a data breach.

Understand what it could mean for your business with our simple Advisory Notes.

Advisory Note

Data Protection & Directors Personal Liability


It is undeniable that the increasing risk of a data breach or other data protection failure affects practically every business. These increased risks can translate into personal liability for directors in a number of ways. It is therefore imperative that directors of organisations familiarise themselves with the potential liability they face.

Find out what this means for your business with our easy to follow Advisory Notes.

Advisory Note

The California CPA and you


On 1st January 2020, the California Consumer Privacy Act (CCPA) came into force.

The CCPA is a new data privacy and consumer protection law designed to give people in California more control over their personal data and ensure that businesses are transparent with their data processing activities.

Find out what this means for your business with our easy to follow Advisory Notes.


ThinkMarble becomes norm.


ThinkMarble Limited has rebranded as ‘norm’ – offering ‘reassuringly dull Cyber Security’ in a move to demystify the market.


One YMCA appoints norm.


Following a rigorous evaluation process One YMCA has selected norm’s specialist Data Protection as a Service solution.


The House of Garrard appoints norm.


NormCyber Limited has been appointed specialist Data Protection as a Service (DPaaS) provider to the iconic jewellers Garrard & Co.

Advisory Note



One of the central aims of the GDPR is the facilitation of the free flow of data between all countries in the EEA.

Leaving the EU on a ‘no-deal’ basis would mean this principle no longer applies and the UK will be in the same position as virtually any other country outside the EEA.

Find out what this means for your business with our easy to follow Advisory Notes.

Advisory Note

Claims for compensation for data breaches


The Court of Appeal’s landmark decision in the case of Lloyd v Google could be summarised as “You breach, you pay”.

Understand what it could mean for your business with our simple Advisory Notes.


David Perez appointed as new CEO

Thursday 10th October 2019 ThinkMarble Limited is pleased to announce that it is making a leadership change to underpin its exciting growth plans. David Perez has joined the UK based Cyber-Security-as-a-Service (CSaaS) business as CEO and replaces Andy Miles who is the Founder and now former CEO of the business. Andy will remain heavily involved…


Suprema data breach

The Suprema data breach, in which researchers say they discovered the fingerprints, voice data, facial images, unencrypted usernames and passwords of more than one million people was publicly available, has drawn the condemnation of security experts and data privacy experts. Read what Norm’s Director of Legal Services, Robert Wassall, told Verdict about the possible implications…


Monzo PIN breach

Read what Norm’s Director of Legal Services, Robert Wassall, told Verdict about the possible implications of the Monzo case.


ThinkMarble service available on G-Cloud 11

LONDON, JULY 2nd 2019

ThinkMarble, the world-class, component-level, end-to-end, Cyber Security Operator, today announced its services are now available to public-sector bodies via the latest Crown Commercial Service (CCS) framework, G-Cloud 11.


Wright joins ThinkMarble in new Operations role

LONDON, UK – Monday 21st January 2019Think Marble is pleased to announce that, as part of its growth strategy, it has appointed Demyon Wright to the new role of Operations Director within the business. Demyon joins ThinkMarble with nearly 15 years of experience as a Head of Service Management in the industry and an impressive…

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group