Manufacturers must protect employee data under new rules

A landmark High Court case has highlighted the need for employers to be ready to comply with new data protection laws due to come into force in May. Julia Fitzsimmons from FBC Manby Bowdler takes a look at the case of supermarket giant Morrisons being taken to court by employees after disgruntled former staff members leaked payroll data online.

The case demonstrated how important it was for employers to be on top of rules on data protection. The new General Data Protection Regulation being introduced in May 2018 will bring with it tighter rules and greater penalties for data processing. The Morrisons case has made the preparation even more pressing for businesses.

This judgement is of huge importance because Morrisons was held liable for the criminal misuse of third party data by an employee. The impact extends beyond the claims for compensation from employees, it’s also the impact on reputation and the financial and physical resources involved in dealing with the data breach.

 

It is believed Morrisons spent more than £2m in responding to the misuse. Data breach is a growing worry for businesses, whether relating to employees or customers. Signalling a tough new era in EU-wide data protection law, the GDPR will replace the UK’s 1998 Data Protection Act, with new powers for data regulators and much stricter operating boundaries for businesses that process personally identifiable information about individuals.

The aim is to harmonise data protection across all EU member states by making it simpler for everyone, including non-European companies, to comply, but it brings greater responsibilities for data processors and big penalties of up to four per cent of worldwide turnover for non-compliance.

The biggest change is that the directive applies to any business processing personally identifiable information about EU citizens, which will include personal information on staff held by employers.

The Government has said that GDPR compliance will be the minimum standard in UK law post-Brexit. Any employer who hasn’t already started on the journey towards GDPR needs to do so as a matter of urgency, as every business and organisation is affected, however small, and must be able to demonstrate they are complying, not just dealing with problems after they occur.

While it’s likely that most will need some specialist expertise on the legal technicalities and IT processes, as a starting point there is some excellent preparatory guidance on the Information Commissioner’s website.

Organisations will also have to provide more information about how data will be used and how long it will be kept for, as data must not be held for any longer than necessary.

Under GDPR there will be a statutory obligation to notify the regulator – the ICO in the UK – of any breach, if an individual’s personally identifiable information is at risk as a result.  Fines can range up to a maximum of €20m, or 4% of total worldwide turnover for businesses, for serious contraventions.