Skip to main content

Insight article

January 23, 2018

Businesses face bigger penalties on data leaks

Businesses are on a final countdown to the introduction of the General Data Protection Regulation in May 2018, bringing with it tighter rules and greater penalties for data processing, and the outcome of a landmark High Court case has made the preparation even more pressing.

The case involved an online leak of payroll data by Andrew Skelton, a disgruntled ex-employee of the supermarket chain Morrisons. Skelton received an eight-year conviction for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. However, over 5,000 current and ex-employees later joined together to bring a claim against the company itself, with the court finding Morrisons liable for the actions of its former member of staff.

The data included the salary and bank details of some 100,000 staff, and the ruling, which is the first data leak class action in the UK, allows those affected to claim compensation for the “upset and distress” caused.

Although Morrisons has said it will appeal, experts predict that the vicarious liability judgement will make General Data Protection Regulation (GDPR) compliance even more pressing for employers and suppliers of contract labour where data processing is involved.

“This judgement is of huge importance, because Morrisons was held liable for the criminal misuse of third party data by an employee based on the principles of vicarious liability. The impact extends beyond the claims for compensation from employees, it’s also the impact on reputation and the financial and physical resources involved in dealing with the data breach. Reportedly, Morrisons spent more than £2m in responding to the misuse,”

Explains corporate lawyer Veronica Hartley.

“Data breach is a growing worry for a business, whether relating to employees or customers, and it is set to be even higher on the agenda in the new environment of GDPR post-May 2018.”

Bringing in a tough new era in EU-wide data protection law, the GDPR will replace the UK’s 1998 Data Protection Act with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.

One of the key new requirements under GDPR is the accountability principle which requires businesses (data controllers) to demonstrate compliance by showing the regulator (in the UK, the Information Commissioner’s Office – the ICO) and individuals how they comply with these new obligations.

The aim is to harmonise data protection across all EU member states by making it simpler for everyone, including non-European companies, to comply. Still, it brings greater responsibilities for data controllers and data processors and big penalties of up to 4% of worldwide turnover or €20 million (whichever is greater) for non-compliance.

The biggest change is that the GDPR applies to any business processing personally identifiable information about EU citizens. Any UK business trading with EU citizens before or after Brexit will be affected, as will anyone who transfers personal data from the EU to the UK for processing or storage.

“The Government has said that GDPR compliance will be the minimum standard in UK law post-Brexit, to enable UK companies to do business across Europe. Anyone who hasn’t already embarked upon the GDPR journey needs to do so as a matter of urgency, as every business and organisation is affected, no matter their size, and must be able to demonstrate they are complying, not just dealing with problems after they occur. While it’s likely that most will need some specialist expertise on the legal technicalities and IT processes, as a starting point there is some excellent preparatory guidance on the ICO’s website.”

GDPR provides stronger protection for individuals in terms of consent. In place of the previous ‘opt out’ approach, organisations must secure positive consent from individuals for their data to be collected. The consent can be withdrawn at any time, as individuals have ‘the right to be forgotten’ and can also transfer their data elsewhere if they choose. Where data is to be processed for a purpose beyond that for which it was originally collected, there will need to be fresh consent. There are strict rules around data relating to children under 16 and requirements for parental consent.

The organisation will also have to provide more information about how data will be used and how long it will be kept, as data must not be held for any longer than necessary. If data will be stored outside the EEA, details must be provided, including what safeguards will be in place.

There is a distinction between controllers and processors of data. The controller determines the process and means of processing personal data, where a processor acts on behalf of the controller. However, each has obligations in case of a breach or lack of compliance. For an organisation that subcontracts its processing, there is a high duty of care imposed in selecting their data processing provider, with procurement processes to be followed and regular ongoing reviews once appointed.

Under GDPR, there will be a statutory obligation to notify the regulator – the ICO in the UK – of any breach if an individual’s personally identifiable information is at risk as a result. Penalties can range up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.

To avoid penalties, speak to data protection specialist Veronica Hartley today.

Note: This is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Pension and inheritance tax changes from April 2027: why now is the time to review your will and estate plan
    From 6 April 2027, most unused pension funds and pension death benefits are expected to be included in a person’s estate for inheritance tax purposes. This article explains what the changes could mean for families, pension nominations, wills, chari


    Read more
  • What happens when company owners disagree? The key to keeping private companies running smoothly
    Director and shareholder disagreements can quickly disrupt a business if they are not addressed early. This article explains what disputes can mean for a private company, how they can be avoided, and how legal advice can help protect stability and su


    Read more
  • SMEs urged to review risks as liability rules expand
    New criminal liability rules taking effect on 29 June 2026 will make it easier to prosecute businesses of any size where senior managers commit offences while acting on the organisation’s behalf.


    Read more
  • AI-written grievances add new pressure for employers
    AI is making it easier for employees to produce detailed, formal-looking grievances that refer to legal concepts and workplace rights. For employers, the key is to look beyond the language, identify the core concern and follow a fair, consistent grie


    Read more
  • What to check in a new build contract
    Buying a new build home can be exciting, but the legal process carries important risks. From long-stop dates and mortgage deadlines to specifications, deposits, service charges and warranties, early legal advice can help protect your position before


    Read more

What they say...

  • Client, July 2026
    Pragmatic, but commercially astute support “Genuinely, we valued your pragmatic, but commercially astute support. It has helped us get this tricky deal over the line in a manner that we both feel supports our needs in a balanced way and gives L

  • Chey, July 2026
    Professional and speedy “I’m extremely happy with the service provided by RIAA Barker Gillette. They were very professional, dealt with my matter at speed and were very accommodating with my disability. I wouldn’t hesitate to use th

  • Client, June 2026
    Thank you “I had a call with Pippa that was not only factual and to the point but also reassuring and very helpful. Would highly recommend.”

  • Client, June 2026
    Trusts services “Very helpful service which solved our problem.”

  • Client, June 2026
    Probate Services “We used Patrice Lawrence to deal with our parents’ probate, and she handled the case promptly, professionally and with the respect due for a matter of this nature.”

Read more
Send this to a friend