norm. data protection bulletin: 4th September 2023

Norm data protection bulletin

First fines for using Google Analytics

The Swedish data protection authority (IMY) issued decisions against four companies and a fine of €1 million against an online retailer for using Google Analytics on their webpage.

Although EU regulators in Austria, France and Italy have also decided that that the use of Google Analytics violates the GDPR, this is the first financial penalty imposed on companies for using it.

In the UK, the ICO has not, so far, taken any action about the use of Google Analytics. Our recommendation (re UK websites) remains ‘keep calm and carry on’.

Beware sharing customer personal data via WhatsApp

The ICO has issued a reprimand to an NHS Trust after it emerged its staff were (without the organisation/employer’s authorisation or knowledge) using WhatsApp to share customer’s personal data.

26 members of staff had access to a WhatsApp group where personal data was entered and shared on more than 500 occasions, including names, phone numbers, addresses images, videos and screenshots. A non-staff member was also added to the WhatsApp group in error, resulting in the inappropriate disclosure of personal information to an unauthorised individual.

The ICO’s investigation concluded that the Trust did not have appropriate policies, clear guidance and processes in place about the use of WhatsApp.

Although the organisation/employer in this instance was an NHS Trust and the personal data included (but was not limited to), special category data, the ICO has made clear that the same concerns apply to any organisation and that customer data must be handled carefully and securely.


  • Decide whether or not to permit/encourage the use of WhatsApp (or any other app) as part of your business activities.
  • Before permitting the use/deployment of WhatsApp (or any other app), consider the risks relating to personal data and include the requirement to assess and mitigate these risks in any approval process.
  • Ensure instructions/guidance are issued to employees on their data protection responsibilities when using WhatsApp (or any other app).
  • Consider whether there needs to be a review of your organisational policies and amend where appropriate.

Supply Chain Security

As reported here by Sky News, all 47,000 people working for the Metropolitan Police have been notified about the potential exposure of their photographs, names, and ranks after cybercriminals managed to infiltrate the IT systems of a contractor responsible for printing warrant cards and staff passes.

This unfortunate incident demonstrates that organisations need to consider not only their own data protection and cyber security arrangements, but also those of third parties that they deal with and entrust personal data to. This should be done both before and also sometimes after contracts are entered into.

Get norm.’s data protection bulletin direct to your inbox

norm. tracks and monitors the latest data protection developments and collates these into a monthly data protection bulletin.

You can receive this bulletin for free, every month, by entering your business email address below: