6th June 2019
We are now one year into the new, tougher data protection regime under the General Data Protection Regulation (GDPR). As Sarah Everton, employment law expert with Myers & Co Solicitors in Stoke-on-Trent, Staffordshire explains, Brexit or no Brexit, these rules are not going away any time soon. Sarah takes us through what the first year has taught us and provides a checklist to help employers continue to comply.
New regulations ensure that the GDPR will still be in force in the UK after the UK leaves the EU. If you just operate within the UK, there will be little change. However, if you transfer personal data to or from Europe, things may change depending on the terms of the UK’s exit. The Information Commissioner’s Office (ICO) has further guidance and resources on Brexit.
You are now required to report to the ICO any data protection breaches, such as an unauthorised disclosure of an employee’s personal data to a third party, that presents a risk to an individual. We can help you assess whether you need to report any breaches. You are also required to inform the individual, and strict time limits apply.
When the GDPR came into force, enhanced powers were given to the ICO to enforce data protection law, including the power to impose fines of up to €20 million or four per cent of worldwide turnover, if higher. Individuals can also receive compensation for distress caused by a data protection breach. Other than in relation to the data protection fees, cases under the new law are yet to come through the system so it is too early to see the level of damages that will be awarded. However, increased awareness of data protection rights, coupled with the obligation to report some data breaches to the ICO, makes it likely we will see increased numbers and levels of fines.
The 2018 Court of Appeal case in Various claimants v WM Morrison Supermarkets plc was the first group action for a data protection breach. Over 5,500 employees brought a claim against their employer Morrisons after a vindictive data breach by a senior IT auditor. The auditor, who had a grudge against his employer disclosed the personal data of nearly 100,000 of his co-workers online. Even though he wanted to cause harm to his employer, and he disclosed the information from home outside his working hours, Morrisons was still liable for the disclosures. Although the facts of this case were unusual and there was probably little more that Morrisons could have done to protect its employees’ data, it shows the extent to which employers can be liable. There’s a more detailed consideration of the case here.
Morrisons is appealing to the Supreme Court against this decision. However, the courts are increasingly finding employers liable for the acts of their employees.
Many employees may not properly understand their individual responsibilities under data protection law. Just having a data protection policy is not enough; employers must train their staff, continue to remind them of their responsibilities and make breach of data protection law a serious disciplinary offence. Even if there is no claim against the employer, the ICO’s reports name the employer, so reputational damage is unavoidable.
We can advise you on how and when you can lawfully monitor your employees’ emails to protect the personal data that your employees can access.
Here are a few examples of actions by employees that have landed them in a criminal court:
Data protection is an ongoing responsibility. The likelihood and consequences of enforcement action are much more significant under the new regime. Here are a few areas to think about to ensure you are complying:
For help with becoming compliant or checking you are still compliant with data protection law, please contact Sarah Everton in the employment law team on 01782 525012 or email email@example.com.
This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.