• International Workplace
  • 19 December 2017

When data protection goes wrong

Data protection issues seem to be hitting the headlines more often at the moment, with large-scale breaches releasing the personal data of thousands of people into the public domain or the hands of criminals.  Our personal data is becoming a lot more valuable – to individuals, companies and criminals alike.    

Tighter data protection regulations are coming into force in May 2018, in the shape of the GDPR and the new Data Protection Act.  The new Regulations will mean businesses face greater fines for any breaches, along with stricter reporting and monitoring criteria.  However, a lot of businesses still haven’t got to grips with what the changes will actually mean to their business and what they, as employers, should be doing to protect the personal information they hold.

Looking at two recent cases involving Morrisons and Uber, we can start to see the scope of these new rules, and what happens when data protection goes wrong. 

Morrisons – the lines of liability

A recent court case determined that thousands of Morrisons staff should be awarded a payout after a former employee stole and subsequently published their personal information online. This is the first data leak class action seen in the UK so far, and shows us how employers can be held liable for the actions of their former staff – even if they are unauthorised. The individual was jailed for fraud, unauthorised access to a computer and disclosing personal information. But the supermarket itself was also found liable by the High Court, as they were responsible for breaches of privacy, confidence and data protection laws. 

It highlights the need for businesses to pay close attention to their data protection policies and train their staff to reduce the risk of data leaks. There are some simple steps that employers can take to demonstrate their commitment to the protection of their employees’ personal information:

  • Limit access to personal data – make sure only those employees that need data to carry out their role have access to it. This would require a review of access rights to IT systems.
  • Audit what data you collect and store, and whether you need to retain it.
  • Have policies in place to regularly review the data you hold and how long you keep it for.
  • Ensure the security of your systems is up to date and safe.
  • Make sure you have a clear privacy policy or data statement, which is available to all employees and customers and sets out what data you collect and why.
  • Ensure staff understand the value of personal data.

Uber – what happens when you suffer a breach

In the case of Uber, 2.7m UK users saw their personal information held to ransom by hackers, and then this was covered up by the taxi-hailing company. The news of the breach was only admitted publicly nearly a year after the event. The ICO, which investigates data breaches in the UK, is currently investigating the case, and we await their findings and what fines, if any, will be imposed.

Under GDPR, the ICO will have increased investigatory powers, along with the ability to impose greater fines than they currently do – up to €20m or 4% of annual worldwide turnover.  

However, more importantly for employers, is the rule that data breaches must be self-reported to the ICO within 72 hours if the release of personal data could cause damage. Currently, there is no mandatory requirement to report data breaches. Based on current experiences, the ICO is likely to look more favourably on those businesses who do self-report, as opposed to those who attempt to cover up a breach. 

A data breach could be as simple as sending personal information through the post, or as sophisticated as a targeted cyber-attack against your systems.  Again, the steps to protect your business are simple:

  • Ensure that you train your staff on the correct procedures for handling personal information.
  • Review your systems, and ensure your IT, digital and web systems are adequately protected.
  • Only hold the personal data you need to hold in order to carry out your business.

At Loch Employment Law, we’ve been helping clients understand the implications of GDPR on their process through conducting GDPR audits. This gives businesses the opportunity to ask themselves the questions: what data do I have, how and why was it collected, and do I still need it?  The report the client receives helps them understand their current compliance level and risk areas and what they need to address to comply with the GDPR. This is an essential first step to avoiding your business hitting the headlines for the wrong reasons. 

Data protection need not be a burden that you have to deal with, but you can’t bury your head in the sand about it.  The new Regulations may be tighter and place greater onus on businesses to comply, but it will lead to greater trust between organisations, their employees, and customers which can only be good for business in the UK.

Pam Loch is Managing Partner of Loch Employment Law, as well as Managing Director of the Loch Associates Group.  For further information please contact us at,  call us on 01892 773970 or visit