The recent very well publicised High Court Proceedings surrounding Morrisons and a massive data breach in relation to their employees has sent shudders through the commercial world and any organisations that hold data – basically every organisation!
From May 2018 the new General Data Protection Regulations will come into force. The essence of data protection will remain as before. Data (i.e. information) held on an individual must only be held for a good reason and then held securely. However the GDPR is revolutionising the way this is to be done and the potential penalties that will be imposed for not doing so.
In the Morrisons case a compensation claim is being pursued by thousands of its staff following the actions of a former employee who stole personal data about the employees before posting it online. The employee was jailed for eight years in 2015 after being found guilty of fraud and other offences. Morrisons were reported to have spent more than £2 million on measures to tackle the breach but the group action claims that the employees are suffering potential financial loss and were exposed to the risk of identity theft which the employees claim Morrisons were responsible for. This has resulted in the action being taken by 5,518 former and current employees of the company.
Whilst the case has understandably caused huge ripples in relation to data protection with GDPR about to take its toll on the commercial field the case itself was one about vicarious liability. Whether the employer (Morrisons) should be held liable for the action of its employee. It appears to be that Morrisons could not have done anything more to keep the data secure but in this situation the Court has held Morrisons liable. The case will therefore be publicised as the forthcoming threat of GDPR affecting all companies but in fact it has a different emphasis surrounding whether Morrisons should be vicariously liable for the action of its employee. At the moment it has not even been shown that the employees have suffered a financial loss and Morrisons have been given leave to appeal so the litigation may ultimately be fruitless but it has illustrated the major issues that there will be going forward regarding data protection in the light of the new GDPR.
Commentary by Neale Grearson, Head of Charities Department.
For straightforward and practical legal advice, Clapham & Collinge dedicated solicitors will be delighted to help. To find out more or discuss your individual requirements in further detail, contact us today on 01603 693500 or email us using the 'Make an enquiry' form. Appointments available at our Norwich, North Walsham, and Sheringham offices.