December 18, 2017

Morrisons Data Leak Highlights GDPR Threat to Employers

Business owners have been given a wake up call after the news that thousands of employees are suing Morrisons supermarket after their personal details were leaked online by a senior IT employee.

With new the General Data Protection Regulations (GDPR) coming into force in May 2018, it highlights the financial and reputational risks of the security, storage and use of valuable employee information.

Warning for businesses

The leak saw sensitive information of 100,000 employees of the supermarket chain posted online. Information including their salaries, national insurance numbers, dates of birth and bank account details were also sent to a number of newspapers.

Morrisons has had negative media coverage since early 2016 when the sensitive personal information was stolen from the company.

Not only has it been hit with reputational damage to repair, but there is also a trust issue between management and the staff members.

This data theft is a huge wake-up call for all types of businesses that handle employee data that they need the proper systems and procedures in place.

More importantly, it should prompt the need to more fully understand the implications of the upcoming GDPR rules on sensitive data.

Key GDPR points to understand

  • Organisations that need to employ a Data Protection Officer (DPO), responsible for ensuring the collection and security of personal data, if they:
    • are a public authority (except for courts acting in their judicial capacity);
    • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking), or;
    • carry out large scale processing of special categories of data or data relating to criminal convictions and offences
  • The legislation also applies to any other business if there is any risk to the rights and freedoms of data subjects, if the data processing is frequent, or if it the processing includes special types of data (defined in GDPR Article 9)
  • Data security breaches in the UK must be reported immediately to the Information Commissioner’s Office (ICO), ideally, within 24 hours if possible but at least within 72 hours
  • Employees have more personal data rights, such as the ‘right to be forgotten’ if consent is withdrawn or the data is no longer needed
  • Businesses that fail to comply with the new legislation will be met with significantly heavier punishments than current penalties

What does GDPR mean for your business?

You must comply with the new regulations regarding the security, storage and use of personal information, which will come into force on May 25, 2018.

Find out how GDPR will impact small businesses and how to stay compliant with the new legislation.

Moorepay can help you through the process so you stay compliant with GDPR – call us on 0845 814 4615.

Want a round-up of stories like this delivered to your inbox?

About the author

Stuart Clough

Stuart (MCIPR) is a trained journalist, writer and marketer with ten years' experience in B2B, public sector and employee communications. A former marketing consultant and agency client-lead, Stuart is responsible for communications and content at Moorepay.