January 8, 2019

Time to Audit Your GDPR Compliance?

2018 saw a significant increase in referrals to the Information Commissioner and fines doubled – even under the old legislation. The penalties are higher under the new legislation. Plus there’s the risk of you being made vicariously liable for your employee’s actions. With this in mind, now is undoubtedly the time to revisit the adequacy of your GDPR provisions.

GDPR hitting the headlines

We have seen higher fines and a spike in data complaints since the introduction of GDPR. The following statistics and fines for data breaches provide examples of this:

  • Average fines imposed by the Information Commissioner have doubled from £73,000 to £146,000 in the last twelve months.
  • The ICO has handled an extra 46,000 enquiries – a 25% increase.
  • ICO issued £500,000 fine to Facebook for abuse of data analytics for political purposes (the maximum fine under previous legislation)
  • And UBER was hit with a £385,000 penalty for allowing UK accounts to be hacked.

So far, all prosecutions are under 1998 legislation. Elizabeth Denham, the Information Commissioner, said the Facebook fine “would have been significantly higher under GDPR”. It could potentially have cost Facebook £18 million.

What issues are employers facing following the introduction of the new data protection rules?

Since GDPR came into effect we have received countless enquiries from clients concerned about unintentional data breaches. These include:

Cyber Security

Several incidents have concerned “malware”. For example, computer programmes which steal confidential information or money, destroy data, and compromise or disable systems and networks.

The most frequent of these has been staff accidentally opening infected email attachments.

Employees sharing confidential information

Some issues have revolved around staff passing or sharing confidential information inappropriately. On investigation, most infringements have been down to lack of basic I.T. security provisions such as encryption and/or insufficient staff training.

Referrals to the ICO reveal cyber security incidents are up by over 30%. When looking at specific sectors there was a 69% increase in reported incidents in the Charity Sector. Emails being sent to the wrong recipient was the main cause.

The ICO logged over 400 significant data security incidents in the business, education and health sectors alone in just three months.

Morrisons Data Breach and Vicarious Liability

Another huge data protection storm is brewing. Morrisons, the supermarket chain, is facing claims for compensation from 5,000 staff. An ex-employee committed criminal activity and Morrisons is being held “vicariously liable”.

What is vicarious liability?

So, what is vicarious liability, and should you worry about it? Well, it’s actually a case well over 100 years old that established the main principles. A solicitor’s clerk back in 1912 fraudulently tricked a client into signing away her property. And the court of the day said “The master is responsible for every wrong of the servant or agent in the course of their service for the master’s benefit”. In other words, if your staff use their role as your employee to do something inappropriate, you will likely be held responsible.

Claim Against Morrisons

This is exactly the position for Morrisons. They employed Andrew Skelton as an I.T. auditor. He received a minor disciplinary penalty and became resentful. He decided to take revenge on Morrisons. Andrew Skelton had legitimate access to an encrypted USB stick containing the company’s payroll records. He unencrypted it and made a second copy – ultimately uploading it to an internet file-sharing site and copying it to various newspapers.

Skelton was sentenced to eight years’ imprisonment. It cost Morrisons an estimated £2 million to sort out all the issues arising from his actions. Nevertheless, successive courts have, thus far, found Morrisons vicariously liable for what he did. The Supreme Court will determine the compensation for 5000 staff this year.

Morrisons argue they took every reasonable precaution to protect employees’ data and holding them responsible for Skelton’s criminality is unjust. They argue that they offered every possible support to staff once his activity became known. Morrisons also stated that no member of staff (to their knowledge) suffered financially. So far, this defence has found little sympathy from the courts.

Could you be liable for similar criminal acts by your employees?

You may well be alarmed that you could be liable for such criminal acts by your employees. The principle of vicarious liability makes this entirely possible. You could even find yourself fined by the ICO for a breach of data protection legislation and be subject to a claim for compensation from those potentially affected.

Next steps

Moorepay can offer consultancy services to help you audit GDPR provisions from a human resources perspective. These include visiting or re-visiting your HR processes and records to identify vulnerabilities.

Want a round-up of stories like this delivered to your inbox?

About the author

Mike Fitzsimmons

Mike is a Senior HR Consultant within the Moorepay Policy Team. He is responsible for the developing of employment documentation and is an Employment law advisor. With over 30 years of senior management and HR experience, Mike has managed teams of between 30 and 100 employees and is familiar with all the issues that employing people brings. He has also served as a non-executive director on the Boards of several social enterprises and undertook a five year tour of duty as Executive Chair of a £30+ million annual turnover Government agency.