December 18, 2017

Morrisons Data Leak Highlights GDPR Threat to Employers

Business owners have been given a wake up call after the news that thousands of employees are suing Morrisons supermarket after their personal details were leaked online by a senior IT employee.

With new the General Data Protection Regulations (GDPR) coming into force in May 2018, it highlights the financial and reputational risks of the security, storage and use of valuable employee information.

Warning for businesses

The leak saw sensitive information of 100,000 employees of the supermarket chain posted online. Information including their salaries, national insurance numbers, dates of birth and bank account details were also sent to a number of newspapers.

Morrisons has had negative media coverage since early 2016 when the sensitive personal information was stolen from the company.

Not only has it been hit with reputational damage to repair, but there is also a trust issue between management and the staff members.

This data theft is a huge wake-up call for all types of businesses that handle employee data that they need the proper systems and procedures in place.

More importantly, it should prompt the need to more fully understand the implications of the upcoming GDPR rules on sensitive data.

Key GDPR points to understand

  • Organisations that need to employ a Data Protection Officer (DPO), responsible for ensuring the collection and security of personal data, if they:
    • are a public authority (except for courts acting in their judicial capacity);
    • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking), or;
    • carry out large scale processing of special categories of data or data relating to criminal convictions and offences
  • The legislation also applies to any other business if there is any risk to the rights and freedoms of data subjects, if the data processing is frequent, or if it the processing includes special types of data (defined in GDPR Article 9)
  • Data security breaches in the UK must be reported immediately to the Information Commissioner’s Office (ICO), ideally, within 24 hours if possible but at least within 72 hours
  • Employees have more personal data rights, such as the ‘right to be forgotten’ if consent is withdrawn or the data is no longer needed
  • Businesses that fail to comply with the new legislation will be met with significantly heavier punishments than current penalties

What does GDPR mean for your business?

You must comply with the new regulations regarding the security, storage and use of personal information, which will come into force on May 25, 2018.

Find out how GDPR will impact small businesses and how to stay compliant with the new legislation.

Moorepay can help you through the process so you stay compliant with GDPR – call us on 0845 814 4615.

Share this article

About the author

Stuart Clough

About the author

Stuart Clough

Stuart (MCIPR) is a trained journalist, writer and marketer with ten years' experience in B2B, public sector and employee communications. A former marketing consultant and agency client-lead, Stuart is responsible for communications and content at Moorepay.

Related Posts

returning to the workplace
Returning to the workplace: 39% of employees are looking forward to ‘nothing’.

We surveyed 1200 people last month and found 39% of respondents are looking forward to…

View Post
employment tribunals and how to avoid them
5 reasons businesses are taken to employment tribunal – and how to avoid them!

Employment tribunals require time, effort, often cost money, and can hurt your reputation as a…

View Post
how to avoid business fines hr
How to avoid business fines: HR edition

In a world where working models are changing and there is a growing backlog of…

View Post

Making payroll & HR easy