GDPR and Morrisons: the perils of vicarious liability

GDPR and Morrisons: the perils of vicarious liability

With GDPR in full swing and with the Morrisons class action underway, how can organisations mitigate the risk of vicarious liability?

Perhaps you imagined waking up on 25 May 2018 to an inbox clear from marketing emails; your name anonymous to all but family and friends; and electricity surges being reported the world over as servers were powered down – free from the strain of decades of data that had built up without a lawful basis?

Perhaps you have listened to the sales patter of the burgeoning horde of “specialists” beating the drum for their particular bright shiny compliance silver bullet with scepticism, harking back to a similar painful and pricy process you undertook in the late 90s… (Who knew that the millennium wasn’t a digital apocalypse after all?)

Or, perhaps you are an employer trying to do the “right thing” by making privacy-focussed updates to your cybersecurity environment and supporting systems and procedures, only to find that one of your employees has turned rogue and leaked a bunch of personal data, for which your business is now vicariously liable to the regulator all affected data subjects?!?

At the time of publication, a class of action of up to 100,000 Morrisons staff are currently in line for compensation under the 1998 Data Protection Act for the upset and distress caused when their payroll data, including names, addresses, bank account details and salaries, was leaked in 2014 by an internal auditor acting on a personal grudge.

Although Morrisons were acknowledged to have had robust security measures in place; responded quickly to mitigate the impact; and had no way of knowing that their employee was intending to abuse his access privileges, the High Court ruled that the supermarket was nonetheless vicariously liable to all subjects affected.

So, whilst much of the underlying law has not changed: you must have a lawful basis for holding data; tell people what you hold about them and how you use it; protect it adequately; etc, the potential for vicarious liability of employers is particularly troubling when combined with (a) the newly introduced principle of accountability; (b) the vastly enhanced scale of penalties (lest we forget the separate risk of uncapped civil damages to “victims” of a breach); and (c) much-increased public awareness.

Regardless of your personal views or disillusionment with the GDPR, if Morrisons could not have done anything differently and are now facing a big claim plus the reputational damage that goes with this, where does that leave business owners and their advisers who are trying to assess and mitigate risk in the age of privacy by design?

The truth is that we are some four of five years away from the first GDPR cases working their way the court appeals process, and a clearer picture emerging. However, the Morrisons case illustrates the dangers associated with employee access/controls and does give some key takeaways on how to review your systems.

In any business, and accountancy is by no means an exception, people can be the greatest strength, but also the biggest weakness. Look no further than Edward Snowden (villain or hero) to demonstrate that organisations with the highest level of security still have vulnerabilities. Systems can prevent and alert to so much – but there is always human error – and let’s not forget malice!

It is vital for businesses to have considered what a breach looks like for them and the action they would need to take. Working back from that, are reasonable systems in place to prevent it? and have they been suitably documented by reference to clear disciplinary measures in the event of employee non-observance?

In order for a business to use data, it has to be available. Restricting access can only go so far before it defies the purpose of having the data at all, and while there never has been a sure-fire way of securing data (someone could always walk away with the copy you didn’t know existed), it is the scale of information that can be extracted at phenomenal speed that is the scary piece.

Security therefore needs to be taken extremely seriously. There are ways of securing data and alerting you to when they are extracted, and if you can move 1GB of data in a few seconds, then the digital cabinet needs to be well alarmed. It will at times entirely unworkable to lock things down. You can lock a cabinet, but the people that need to get in will need the key, so under what security is the key held and at what point can the contents be so rarely accessed that they are pointless to hold? We are not talking of the physical building but a virtual 24-hour office.

Also critical to mitigating risk will be the ongoing involvement of external advisers to assess and implement business-specific legal and security solutions and training that are effective and proportionate to the nature of the particular business at hand having regard to the many other competing interests for time and budget (there is more to life than the GDPR!).

Remember, that this is not just about privacy-related risks, but the much broader organisational and reputational impact that extends to all business data and its security and usage.

From a professional perspective, should we be providing for the higher of €20m/4% global turnover in every set of accounts produced, with a surplus for civil claims? Or should we have some faith in the approach of the supervisory authorities and the courts as they look to enforce this pervasive new area of compliance?

These are questions that will need to be explored and informed in consultation with the regulators as the lay of the land becomes better travelled, however beware the perils of vicarious liability, which should be mitigated, but cannot be entirely eliminated.

Huw Williams is a chartered accountant and Ben Robson is corporate and commerical solicitor. Both are partners are Oury Clark, the professional services business comprising two professional firms operating under a common brand.

Related Articles

The GDPR is just beginning

Legal The GDPR is just beginning

3m Ellen Temperton, Lewis Silkin
Eight things we learned about GDPR at Accountex 2018

Legal Eight things we learned about GDPR at Accountex 2018

5m Lucy Skoulding, Reporter
Last minute GDPR preparation for accountants

Legal Last minute GDPR preparation for accountants

6m SJD Accountancy | Sponsored
How can accountants prepare to comply with GDPR?

Legal How can accountants prepare to comply with GDPR?

8m Emma Smith, Managing Editor
Webinar: How should accountants prepare for GDPR?

Legal Webinar: How should accountants prepare for GDPR?

8m Emma Smith, Managing Editor
Why should accountants take notice of GDPR?

Legal Why should accountants take notice of GDPR?

8m Emma Smith, Managing Editor
Demystifying GDPR for accountants

Accounting Standards Demystifying GDPR for accountants

10m Ellen Temperton, Lewis Silkin