As concerns over data privacy sow tension across British business corridors, the recent cyberattack on Marks & Spencer—believed to have been orchestrated by the notorious Scattered Spider group—has thrust the issue back into the spotlight.
The breach, which began in April and disrupted online transactions and footfall in stores, resulted in the compromise of customer details such as names, birth dates, contact information, and order histories, affecting millions of users. These developments not only underscore the vulnerability of large-scale retail operations but also raise urgent questions about how businesses manage third-party vendor and supply chain security.
In light of this breach, Asian Voice spoke with Abhishek Ghosh, co‑founder of Praeferre, a data privacy and cybersecurity platform, to explore how companies can elevate their data protection strategies. In our conversation, Ghosh discusses the recurring vulnerabilities behind major UK breaches and details how AI‑driven tools can provide early warning systems.
What core principles guide Preferre’s approach to data privacy and compliance?
At Praeferre, our approach is grounded in three core principles that guide everything we do. First, privacy by design ensures compliance is embedded into the architecture of systems from day one. Second, we prioritise user empowerment by giving individuals greater control and transparency over how their data is used. Third, continuous assurance moves beyond one-time audits, offering real-time visibility, automation, and accountability through AI-driven tools.
We see privacy not just as a regulatory requirement but as a trust asset and our technology reflects that. Praeferre’s tools help organisations embed trust and accountability from the ground up not as an afterthought.
Several UK commercial companies have recently experienced serious data breaches. What do you think these incidents reveal about the current state of data privacy management in the UK?
Compliance is fragmented, and critical gaps in third-party risk and system visibility lead to costly mistakes. Especially considering the AI adoption across the industries. We’ve been running privacy, GenAI and overall security assessments for teams across insurance, finance, healthcare, media and beyond. Almost every security team we talked they say the same thing like the AI and security policy is in place. But they have no idea what AI is actually in use or what sensitive data is going into those tools or to the supplier ecosystem with various retention clauses. They don’t have basic visibility, never mind control.
They underscore a sobering reality: many UK organisations are still reactive rather than proactive. The breaches expose a lack of integrated risk management, poor third-party oversight, and legacy systems that can’t keep pace with evolving threats. Even in regulated industries, compliance is often fragmented across departments, leading to dangerous blind spots.
Were there any common oversights or vulnerabilities in these breaches that you believe could have been prevented with better protocols? What should the first 48 hours of gaining control look like?
Yes, several stand out.
- Lack of encryption or tokenisation of sensitive data
- Inadequate third-party risk assessments
- No centralised risk and governance control
- Consulting and labour intensive approach for GRC management
- Slow incident response due to lack of playbooks or automation
In the first 48 hours, organisations should isolate the breach, alert key teams, notify regulators if needed, and start forensic investigations fast and with clarity. This must happen in a highly coordinated, auditable way where compliance automation plays a vital role.
Do you think there’s enough awareness within companies, especially SMEs, about their data responsibilities, or is there still a “tick-box” culture when it comes to compliance?
Unfortunately, yes. Many SMEs see data protection as a cost centre, not a strategic advantage, leading to minimal investment and a checkbox approach to compliance. There’s often no DPO, limited awareness of third-party risk, and no structured incident response planning. We’re working to change this by offering accessible, scalable compliance tools that make privacy management both effective and business-friendly.
Are AI and automation playing a larger role in your privacy management systems? How do you balance innovation with ethical data governance?
Absolutely. Our platform uses AI for automated compliance validation, anomaly detection, and risk scoring. Many companies been flying blind on GenAI, without the proper visibility and vulnerability assessment of their cyber security posture.
Praeferre provides a GenAI assessment report at the beginning of client onboarding process that gives security teams a tailored view of where GenAI usage is introducing risk and where policies aren't sticking. it takes less than 60 mins to deploy and give them fastest way to get some visibility. Then plug our tools in for inline GRC management.
Also, we are deeply committed to ethical AI, we embed fairness, explainability, and auditability into our models. We also maintain human-in-the-loop mechanisms for critical decisions, especially around data subject rights and enforcement.
If you could make one change to UK data privacy laws or business practices today, what would it be?
We need to better support SMEs with tools, templates, and training. Privacy shouldn’t be a mystery or a luxury. Let’s make it accessible and doable for all. We’d push for a national baseline for SME privacy readiness including subsidised training, risk assessment tools, and clearer accountability structures. Too often, small businesses are left to navigate GDPR and cyber risks without guidance or capacity. Strengthening this layer of the economy would elevate the UK’s entire privacy posture.
