The way companies handle and control personal data is on the brink of a seismic shift, partly as a response to the ever increasing digital economy and society. In the UK, the Data Protection Bill introduced to the House of Lords on 13 September 2017 will replace and update the existing Data Protection Act 1998, and will bring into UK law its implementation of the EU's General Data Protection Regulation (GDPR). The Bill provides stronger rights for the individual over their data and much stronger sanctions for malpractice. In Jersey, the new Data Protection Law was debated and passed unanimously in the States on Tuesday 16 January 2018. It is imperative that Jersey has equivalent legislation in force by 25 May 2018 when the EU will introduce GDPR, with effects on all EU citizens and all doing business with EU citizens and organisations.
GDPR will force organisations to take more care over the data they store. Not only does the law introduce new rights for an individual, the categories of personal data over which those rights exist have become significantly wider; and the penalties for failure to comply more punitive. The quantum of fine which may be imposed reflects the breach, however the maximum fine is €20m or 4% of annual worldwide turnover – whichever is the greater.
The impact of GDPR will vary from business to business depending on the nature of the business and its jurisdictional footprint. Advice to ensure a business is adequately prepared with policies and procedures requires careful tailoring.
A recent case involving Morrisons Supermarket [2017] EWHC 3113 (QB) is a wake-up call in respect of the need for heightened vigilance in data security and personal data management.
Although there is much in the media regarding the increase in frequency and sophistication of cyber security breaches, the Morrisons Supermarket case did not involve a sophisticated phishing exercise or targeted malware attack. The perpetrator was a disgruntled employee who simply copied payroll data onto a personal USB stick and then leaked the personal data of approximately 100,000 Morrisons' employees. Morrisons took appropriate and prompt remedial action and therefore primary liability claims failed. However, Morrisons could not anticipate that over 5,000 of its employees would bring a class action for compensation on the basis of secondary / vicarious liability. Unfortunately for the supermarket, it was found to be vicariously liable and therefore accountable for the act of its rogue employee. It troubled the court that the disgruntled employee had set out to injure Morrisons, that they had succeeded, and that Morrisons, having suffered harm, then had to compensate the victims of the data leak. However, by its very nature vicarious liability finds a faultless party legally responsible for the wrong actions of another, and thereby the victim of the wrong is not deprived of a remedy. In the Morrisons case, the criminality of the disgruntled employee did not break the link between his act and Morrisons' liability. Morrisons were granted leave to appeal on the point that penalising Morrisons for an employee's criminal act indirectly assisted the criminal's aim, i.e. to harm Morrisons.
Very few businesses these days do not hold personal data. Imposition of the GDPR provides individuals with greater rights in relation to that data, and greater scope for redress in the event of a cyber security breach. Following the Morrisons Supermarket case, which no doubt will go to appeal, it is entirely possible that more class actions may arise where individuals look to the courts, or to regulators such as Jersey's Information Commissioner, to uphold the fundamental principles of GDPR. Banks and financial organisations have a responsibility to protect not only their customers' money from online fraud, but also their customers' data.
Digital technologies mean that citizens and businesses can do more online, however they are no respecter of personal boundaries. With the prevalence of digital transactions and storage of data it is easy to find new ways to defraud businesses and steal data, with ramifications not only for the bottom line of a business but also its reputation. Our personal data footprint – on social media, banking etc. – provides a gateway to our personal assets and also potentially to those of our employer and fellow employees.
Breaches of cyber security and personal data management have serious legal consequences. The approach to advising clients necessitates the involvement of a cross disciplinary team with specialists in litigation and employment law as well as data protection and intellectual property. Cicero Group said that the safety of people shall be the highest law. It will be interesting to see whether the GDPR will provide a necessary safeguard over personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
