Skip to main content

Insight article

January 23, 2018

Businesses face bigger penalties on data leaks

Businesses are on a final countdown to the introduction of the General Data Protection Regulation in May 2018, bringing with it tighter rules and greater penalties for data processing, and the outcome of a landmark High Court case has made the preparation even more pressing.

The case involved an online leak of payroll data by Andrew Skelton, a disgruntled ex-employee of the supermarket chain Morrisons. Skelton received an eight-year conviction for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. However, over 5,000 current and ex-employees later joined together to bring a claim against the company itself, with the court finding Morrisons liable for the actions of its former member of staff.

The data included the salary and bank details of some 100,000 staff, and the ruling, which is the first data leak class action in the UK, allows those affected to claim compensation for the “upset and distress” caused.

Although Morrisons has said it will appeal, experts predict that the vicarious liability judgement will make General Data Protection Regulation (GDPR) compliance even more pressing for employers and suppliers of contract labour where data processing is involved.

“This judgement is of huge importance, because Morrisons was held liable for the criminal misuse of third party data by an employee based on the principles of vicarious liability. The impact extends beyond the claims for compensation from employees, it’s also the impact on reputation and the financial and physical resources involved in dealing with the data breach. Reportedly, Morrisons spent more than £2m in responding to the misuse,”

Explains corporate lawyer Veronica Hartley.

“Data breach is a growing worry for a business, whether relating to employees or customers, and it is set to be even higher on the agenda in the new environment of GDPR post-May 2018.”

Bringing in a tough new era in EU-wide data protection law, the GDPR will replace the UK’s 1998 Data Protection Act with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.

One of the key new requirements under GDPR is the accountability principle which requires businesses (data controllers) to demonstrate compliance by showing the regulator (in the UK, the Information Commissioner’s Office – the ICO) and individuals how they comply with these new obligations.

The aim is to harmonise data protection across all EU member states by making it simpler for everyone, including non-European companies, to comply. Still, it brings greater responsibilities for data controllers and data processors and big penalties of up to 4% of worldwide turnover or €20 million (whichever is greater) for non-compliance.

The biggest change is that the GDPR applies to any business processing personally identifiable information about EU citizens. Any UK business trading with EU citizens before or after Brexit will be affected, as will anyone who transfers personal data from the EU to the UK for processing or storage.

“The Government has said that GDPR compliance will be the minimum standard in UK law post-Brexit, to enable UK companies to do business across Europe. Anyone who hasn’t already embarked upon the GDPR journey needs to do so as a matter of urgency, as every business and organisation is affected, no matter their size, and must be able to demonstrate they are complying, not just dealing with problems after they occur. While it’s likely that most will need some specialist expertise on the legal technicalities and IT processes, as a starting point there is some excellent preparatory guidance on the ICO’s website.”

GDPR provides stronger protection for individuals in terms of consent. In place of the previous ‘opt out’ approach, organisations must secure positive consent from individuals for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose. Where data is to be processed for a purpose beyond that for which it was originally collected, there will need to be fresh consent. There are strict rules around data relating to children under 16 and requirements for parental consent.

The organisation will also have to provide more information about how data will be used and how long it will be kept, as data must not be held for any longer than necessary. If data will be stored outside the EEA, details must be provided, including what safeguards will be in place.

There is a distinction between controllers and processors of data. The controller determines the process and means of processing personal data, where a processor acts on behalf of the controller. However, each has obligations in case of a breach or lack of compliance. For an organisation that subcontracts its processing, there is a high duty of care imposed in selecting their data processing provider, with procurement processes to be followed and regular ongoing reviews once appointed.

Under GDPR, there will be a statutory obligation to notify the regulator – the ICO in the UK – of any breach if an individual’s personally identifiable information is at risk as a result. Penalties can range up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.

To avoid penalties, speak to data protection specialist Veronica Hartley today.

Note: This is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • What is the Employment Rights Bill 2024?
    The Employment Rights Bill 2024 marks a pivotal moment in UK employment law, promising the most significant reforms in over three decades


    Read more
  • Autumn Budget Statement 2024
    Key implications for employment law, property law, and estate planning


    Read more
  • Disclosure against warranties in UK corporate transactions
    In UK corporate transactions, disclosure of information is a vital strategy for sellers to shield themselves from warranty claims when selling their shares or business.


    Read more
  • How the Employment Rights Bill 2024 impacts employers and businesses
    The government’s new Employment Rights Bill outlines significant changes to employment laws, focusing on workers' rights and flexibility.


    Read more
  • Business First Magazine
    Autumn/Winter 2024 Edition


    Read more

What they say...

  • Stephen, November 2024
    “Outstanding family lawyer who came through for me in a difficult case. In the world new to me of divorce and the aftermath, [Pippa Marshall] provided excellent advice from the first call and right through to conclusion. She made a difficult ex

  • M. M. Homes, November 2024
    “Charlotte explained everything very clearly and made the whole process nice and easy. Have already started recommending her to my friends.” Wills and LPAs

  • Nim, November 2024
    “I highly recommend James McMullan and his team. They all did a fantastic job with helping me through a particularly difficult family situation. They are extremely professional, caring, and experts in their field.” Probate and contentious

  • Man Kiu Wan, November 2024
    “Thank you Charlotte for your excellent and professional services.” Probate

  • Ms K, November 2024
    “I was recently made redundant, and my company had handled some of the process quite poorly. Patrick came recommended by a friend who had used him during her own redundancy, and I can now wholeheartedly recommend him myself. His initial consult

Read more
Send this to a friend