A landmark High Court ruling on Friday 1 December 2017 allows for those affected by data breaches to claim compensation for the "upset and distress" caused
In this instance the data breach involved a disgruntled employee of Morrisons supermarkets stealing the personal data of all its employees, including their salaries and bank details, and posting everything online. The individual concerned, a senior auditor with the company, was later convicted and jailed for the offence.
This is the first class action of its type involving a data leak in the UK. As we’ve already stated in our previous blog, the consumer action group Which? is currently lobbying the government to include class actions within the new Data Protection Law (GDPR) which is currently going through parliament.
The breach in this case would be a breach under the new rule of privacy by design which is within the new GDPR rules. Organisations, even when the victim of criminal activity, are expected to protect data (including internal staff data), so in this case the regulation would expect that there should never be a need for an individual to be able to download such data nor be able to view all of the data without supervision.
The key questions for organisations are: are we taking appropriate steps to protect the data and are we appropriately prepared to respond to incidents that put the data at risk?
Companies of all sizes need to consider who has access to individuals’ sensitive data, ensure it remains protected at all times and that it is only accessed as needed. This will require changes to processes as well as systems.
The more worrying aspect of the ruling is that the company is being held responsible for the illegal act of one of its employees. This type of ruling is starting to raise widespread awareness of data protection issues, paving the way for legal firms and individuals alike in the pursuit of future class actions.
Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadine. Download your free guide to GDPR for recruitment agencies.