GDPR and Morrisons – what can other organisations learn from this?

18 April 2018

In 2014 Morrisons supermarket suffered a serious data breach, when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) were posted online. In this article we look at some of the practical ways an organisation can protect themselves from an HR perspective with GDPR in mind.

Quick recap on the facts of the case:

The payroll data had been supplied by Morrisons to its external auditor. Security measures were taken in that the data was copied from the secure software in which it was held onto an encrypted memory stick by an authorised employee in HR, and then uploaded to the encrypted laptop of a different authorised employee (a senior internal IT auditor). The data was then downloaded onto a further encrypted memory stick provided by the external auditors and sent on as planned.

The senior IT auditor copied the data to a personal USB stick before deleting the data from the laptop then he posted the payroll data online on a public file sharing website as well as tipping off the press of this data breach and going as far as attempting to implicate an innocent colleague. The press then informed the supermarket of the data breach.

It is believed the employee harboured a grudge against Morrisons although this was not known to the supermarket at the time of the breach.

Over 5,000 affected employees brought claims against Morrisons for alleged breaches of the Data Protection Act 1998. Despite the supermarkets swift action on discovering the breach and cooperation with the Police and banks, the High Court found Morrisons to be vicariously liable for its employee's actions. The High Court was however satisfied that the supermarket was not directly liable for the data protection breaches as they had limited access to the data, they had internal checks to see who had accessed the data and they had used appropriate methods of transfer to pass the data to their external auditor.

What can employers do now to protect their workforce data?

With the EU General Data Protection Regulations (GDPR) fast approaching (implementation date of 25 May 2018 looming), employers need to be more vigilant than ever about the security measures they have in place to protect their workforce personal data. Companies are advised by the ICO (The Information Commissioners Office) to build privacy by design into all their processing of personal data and from the HR perspective it is important employee data is treated in the same way.

Organisations should review the HR systems and processes they have in place to control the access and use of personal data by employees, thinking about the following.

  • Who has access to the data?
  • Do the right people have access to the data?
  • Has the number of people who can access the data been limited? If so how?
  • Can the organisation readily identify who has accessed and/or copied the data?
  • What safety measures are put in place to protect employee data?
  • If an organisation issuing USB sticks are they encrypting those sufficiently in light of GDPR?
  • What steps would be taken in the event of a data breach? Ie a briefcase containing personal and sensitive data has been left in public or stolen, an USB stick gets lost in transit.
  • Are employees aware of who to contact with concerns? 
  • Is someone in the organisation designated as being responsible for data breaches and following the correct procedures under GDPR? 
  • Are you employees sufficiently knowledgeable and trained in GDPR?

At the very least HR practitioners need to be carrying out the following recommended steps towards GDPR compliance.

  • Step 1: Data Mapping Exercise
    • Carry out an HR audit of all workforce data processing – reviewing what workforce data is being processed, what it is used for, why is this data needed, who is the data shared with, where are those parties based, how long is it kept for?
  • Step 2: Gap Analysis – Mind the Gap
    • Carry out a gap analysis – understand your current approach to data protection and review against what is required under GDPR.
  • Step 3: Take Action – Take Accountability for your data processing
    • Implement the required changes as identified from the gap analysis.

For example, companies will need to review and update data protection policies and contracts of employment where necessary and issue privacy notices to all employees new and prospective from 25 May 2018.

Employers need also be to mindful that GDPR creates an ongoing commitment to building privacy by design into the processing of personal data. GDPR compliance should be undertaken on an ongoing basis as processes change. Making someone accountable in the organisation for considering the needs of data subjects would be a prudent and sensible going forward. In particular HR needs to have privacy in mind when considering workforce data and the processing attached to that.

For further information about how RSM can help you with GDPR, please contact Kerri Constable or your usual RSM contact.