“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.
The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
(Nick McAleenan – data and privacy law specialist at JMW Solicitors)
These words were said after the court ruling that Morrisons were ‘vicariously liable’ for the data breach carried out by a former employee.
But what does this example mean in a GDPR world?
It’s important to realise that this case is being handled under the scrutiny of the current data protection act but when GDPR comes into play on the 25th May 2018, would the outcome have been any different?
Could they have stopped this data breach?
Morrisons said: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
I don’t know what the current data protection systems are that Morrisons have in place – I would hope, given the reputation of the brand, that they are already GDPR ready, but if they aren’t and we assume that the judge was ruling based on current legislation (the Data Protection Act), this throws up a whole lot of questions as to what the legal outcome would have been if we were already at May 25th next year.
Whilst this is interesting to speculate on, the fact is we’ll never know. However the key implications of this case are not with whether the company could or could not have prevented the breach in a GDPR era, but with the staff members reaction to the breach.
I’m not talking about the potential payouts that Morrisons may have to make, or how the claimants’ feel about their personal data being accessed and used in such a way, I’m talking about what the actions of the claimants have done to raise the awareness of personal data and what companies do with it.
This, in the context of GDPR, is key. Given that the whole point of GDPR is accountability and transparency.
The changes that the GDPR demands on every company are wide and varied and complicated so working to a GDPR checklist or with a GDPR solution provider will help companies to start the process of ensuring that there is nothing else that they could do to protect the personal data they hold from a breach.
The pressure to do this, at the moment, is coming from the scaremongering that many GDPR experts are banding around about the potential fines that the ICO could levy against any infringement.
But in the long term, this is not what is going to drive companies’ behaviour when it comes to GDPR – the reaction of the consumer is.
No company wants to appear inept at best or at worst uncaring to its customers and whilst the talk of reputational damage is valid, memories are generally short and companies tend to move on quickly.
However, It seems fair to assume that as we sit here now, most people aren’t really aware of what their rights are regarding their personal data that is held and used by companies.
Crucially, as more and more data breaches are reported in the mainstream press (given that data breaches happen now anyway – we just don’t hear about it too often!) there will be more and more references to the GDPR which will in turn create more awareness for the consumer about their rights and privileges when it comes to their personal data held by companies – large and small.
Increased knowledge will lead to more questions being asked;
‘can I be taken off your list please?’
‘where did you get my consent to send me this from?’
‘why have you kept video recordings of me?’
will be just a handful of the questions consumers will be asking – and will be expecting answers to.
So cases like Morrisons serve to highlight not only their data protection inadequacies, but where the real power lies in the transparency that GDPR demands – with the consumer – as it should be