2. Welcome to this Digital Compliance Hub training module.
Available as part of your Hub subscription.
We’re going to be covering data protection basics and what
you need to consider when working in your organisation.
3. You’ve probably heard of
the General Data
Protection Regulation or
GDPR – it was a new EU
data protection
regulation which became
law in the UK on 25th
May 2018.
6. 1. As we mentioned, the law has recently changed
2. Your organization needs to be compliant
3. It’s important that everyone in your organization
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
7. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organization
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
8. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
9. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
10. 1. As we mentioned, the law has recently changed
2. Your organisation needs to be compliant
3. It’s important that everyone in your organisation
understands what it means to them
4. Everyone has a role to play in data protection
compliance
5. There’s penalties if we get it wrong
So why this training?
11. What will we be covering?
Next steps for you
What if we get it wrong?
What compliance means, day to day
Introduction to data protection
13. Data protection law has lots of definitions
but we’re just going to cover
the essentials…
14. Data protection law has lots of definitions
but we’re just going to cover
the essentials…
Personal
Data
Processing
Data
Subject
Data
Controller
Data
Processor
15. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
16. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.
17. Personal Data
Personal data is any data that can be used to identify an
individual either directly or indirectly.
“Directly” means that it is data that is obviously personal,
so it may contain a name, an email address, postal
address, etc.
“Indirectly” means that on it’s own the data doesn’t look
personal, but when used with other information an
individual can be identified from it, e.g. location data on
it’s own may not identify an individual but when you
couple it with a customer database containing a postal
address, both sets of data become personal.
NOTE: there are “special categories” of data too. This
data is things like medical information, trade union
membership, biometric data used for ID, etc. The rules for
processing this data is even stricter than “normal”
personal data.
18. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
Processing
19. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing
20. Processing of personal data is everything you do with that
data. It has a wide definition and includes more than why
you have collected the data in the first place. It includes:
• Processing the data for the purpose for which you
collected it in the first place
• Storing data (including in the cloud)
• Editing or manipulating the data
• Sharing the data
• Deleting the data
Processing
NOTE: This also means that “processing” includes adding,
storing and using the data in online software systems
such as CRMs, cloud storage, MailChimp, GoogleDrive,
Dropbox, etc.
21. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
22. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed
23. Data Subjects, Controllers & Processors
The Data Subject is the individual who’s personal data is
being processed
The Data Controller is the organisation who collects the
personal data from the Data Subject and determines how
it’s going to be processed
A Data Processor is an organisation who processes the
data on behalf of the Data Controller. Remember, that
wider definition of processing will mean that you may be
using Data Processors in all different ways across your
organisation.
25. Processing example: email marketing
Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.
26. Processing example: email marketing
Subscriber You
A subscriber gives you their email
address because they want to receive
your email newsletter.
Data Subject
Personal Data
Data Conroller
27. Processing example: email marketing
Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller
28. Processing example: email marketing
Subscriber You
You store their email address in email
marketing software, MailChimp…
Data Subject
Personal Data
Data Conroller
Data Processor
Processing
29. Processing example: email marketing
Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Processing
Agency
30. Processing example: email marketing
Subscriber You
…but ask a digital marketing company
to actually send your email newsletter
to your subscribers
Data Subject
Personal Data
Data Conroller
Data Processor
Data Processor
Processing
Agency
31. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
32. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
This means that if there is a law or
regulation that prevents you from
processing the data in the way you want to,
then you can’t process it. Plus there must be
a lawful basis for processing (which we’ll
come onto in a bit)
All processing must be:
Lawful
33. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means that a Data Subject shouldn’t be
surprised to find out you have their data, or
how you are processing it
34. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
You have to be open and clear about how
you’re processing someone’s data
All processing must be:
Lawful
Fair
Transparent
35. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
This means that you can only process the
data for the original purpose for which you
collected it. If you want to do something
else with the data then you will need to
make sure it is lawful for you to do so and
another lawful basis for processing exists
All processing must be:
Lawful
Fair
Transparent
Specific
Purpose
36. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means you must only collect and
process the personal data that is relevant
for the purposes for which you want to
process it. So, if you don’t need to collect a
postal address or date of birth, then you
should not ask for that personal data. Transparent
Specific
Purpose
Relevant
37. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
You have a duty to make sure you update
your records if a Data Subject tells you their
data has changed, and when it is
appropriate for you to do so, you should
check that the data you hold is still accurate
and up to date. Transparent
Specific
Purpose
Relevant
Accurate
38. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
You must not keep data forever. If you no
longer need it and there is no lawful basis
for you to continue to process it then you
must delete it.
Transparent
Specific
Purpose
Relevant
Accurate
Not forever
39. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
All processing (remembering the wide
definition of processing) must be done so
with securely, so security of the data and
how you process it is very important (more
on that in a bit).
Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure
40. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
All processing must be:
Lawful
Fair
This means that it’s not good enough that
you ARE compliant – you have to be able to
prove it! Accountability crops up throughout
the GDPR from recording your processing
activities to proving you have sought
consent (when you need it). Transparent
Specific
Purpose
Relevant
Accurate
Not forever
Secure
Accountable
41. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
PLUS:
There are a number of individuals’ rights
that apply to Data Subjects (e.g. subject
access right, right to be informed, etc.). You
must make sure that you have processes in
place to honour those rights.
Subject’s
Rights
42. Data Protection Principles
There are a number of “rules”, called Principles
which set out what you can and can’t do with
personal data.
PLUS:
And finally… there are strict rules about
processing personal data outside the EU.
You may only do so if there is adequate data
protection controls in place. Adequacy
means:
• The country has equivalent laws and are
approved by the EU
• There is an EU agreement in place (e.g.
the US Privacy Shield), or
• There is a contract (“model standard
clauses”) in place (provided by the EU)
Subject’s
Rights
International
43. Lawful Basis for Processing
For processing to be lawful there are a number of
44. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
45. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
46. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
47. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
48. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
49. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
50. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.
51. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
1. CONSENT
• Consent means that the Data Subject has given you permission to process their data
• The law has specific requirements about what consent looks like
• It is often thought that you need consent for all processing – this is NOT true
• Think of consent as a binary option; a YES or a NO
• If you need to process the data even when the answer is NO, then consent is not
going to be the right lawful basis for processing.
• There is also a problem with consent: it can’t be withdrawn, at anytime, by the Data
Subject and you cannot do anything about it
52. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
53. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing
54. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
2. CONTRACT
• If you are processing data as part of performing a contract or as agreed with a
customer/user, then this is the most applicable lawful basis for processing
• You don’t need to ask for consent to process as well
55. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
56. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing
57. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
3. LEGAL OBLIGATION
• If a law or regulation requires you to process data in a particular way then this is your
lawful basis for processing
• Examples include tax law, care law for those operating in the care sector, disclosing
data to law enforcement or government agents, etc.
58. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
59. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
60. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject
61. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
4. DATA SUBJECT’S INTEREST
• This is in a life of death situation
• It would be lawful for you to process personal data if it’s in the vital interests of the
Data Subject
• An example would be if a colleague collapsed it would be lawful to disclose
information that might help the Paramedics care for your colleague, you wouldn’t
need to think about data protection, consent, etc.
62. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
5. PUBLIC INTEREST
63. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
5. PUBLIC INTEREST
• Public bodies (e.g. government, council, schools, universities, etc.) may rely on this
for carrying out certain public interest tasks
64. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
65. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data
66. Lawful Basis for Processing
For processing to be lawful there are a number of
LAWFUL BASIS FOR PROCESSING
6. LEGITIMATE INTEREST
• Often thought as the default lawful basis (if not thinking about consent) because it
sounds as though you just need to be able to show it’s in your interest to process the
data
• But this is not the case. Legitimate interest can be tricky because you have to
demonstrate:
1. The purpose of processing in terms of why and that it is lawful
2. That the processing is necessary
3. That the processing is not harmful to the rights of the Data Subjects
68. Not everything discussed in this next section will
necessarily apply to you and your role.
But it’s important (a) that you know when it does and (b)
what else is necessary that your colleagues or perhaps the
Data Protection Officer or lead within your business need
to know about when you do process personal data
Compliance in Practice
69. When we collect data, we will:
Compliance in Practice:
Collecting Data
70. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
Compliance in Practice:
Collecting Data
71. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
We will make sure it is clear to the individual why we
need this data, and if it’s not…
Compliance in Practice:
Collecting Data
72. When we collect data, we will:
Only collect the data we actually need and not collect
or ask for anything extra, just in case
We will make sure it is clear to the individual why we
need this data, and if it’s not…
We’ll make sure we have a suitable Privacy Notice or
similar statement that explains everything
Compliance in Practice:
Collecting Data
73. Once we’ve collected the data, we will:
Compliance in Practice:
Using & Storing Data
74. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Compliance in Practice:
Using & Storing Data
75. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing),
Compliance in Practice:
Using & Storing Data
76. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and…
Compliance in Practice:
Using & Storing Data
77. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and don’t keep it “just in case”
Compliance in Practice:
Using & Storing Data
78. Once we’ve collected the data, we will:
Only use it for the purpose we originally collected it
Only keep it for as long as we need or for as long as it is lawful for us to do
so (as per the lawful basis for processing), delete it if we no longer need it
and don’t keep it “just in case”
Be mindful if we keep copies for local processing to delete them once
we’re finished (so we don’t leave copies of data lying around on our
computers or servers)
Compliance in Practice:
Using & Storing Data
79. When we process data, we will:
Compliance in Practice:
Security
80. When we process data, we will:
Do so securely
Compliance in Practice:
Security
81. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Compliance in Practice:
Security
82. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Compliance in Practice:
Security
83. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Avoid copying the data to our own personal
devices or online services
Compliance in Practice:
Security
84. When we process data, we will:
Do so securely
Make sure we protect the data from
unauthorised access or viewing
Only share data or take it out of the office in a
way that protects it and is secure
Avoid copying the data to our own personal
devices or online services
Tell the data protection lead if we see something
that might be a breach
Compliance in Practice:
Security
86. Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.
Compliance in Practice:
Individuals’ Rights
87. Data subjects have a number of rights which they can
exercise at any time, relating to the way we process their
data.
We’re not going to go through all of them, but will cover
the important ones
Compliance in Practice:
Individuals’ Rights
89. Compliance in Practice:
Individuals’ Rights
What data is
being processed,
why & for how
long
Subject Access
An individual has the right to ask
Who has access
to the data
For a copy of the
data and other
information
We have to:
90. Compliance in Practice:
Individuals’ Rights
What data is
being processed,
why & for how
long
Subject Access
An individual has the right to ask
Who has access
to the data
For a copy of the
data and other
information
We have to:
Verify their
identity
Deal within
1 month
Provide
FREE
92. Compliance in Practice:
Individuals’ Rights
Their data is
deleted
Right to Erasure (or Right to be Forgotten)
An individual has the right to request
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:
93. Compliance in Practice:
Individuals’ Rights
Their data is
deleted
Right to Erasure (or Right to be Forgotten)
An individual has the right to request
But only if we
don’t need it (it’s
not an absolute
right!)
We have to:
Verify their
identity
Deal within
1 month
Delete for
FREE
95. Compliance in Practice:
Individuals’ Rights
A machine
readable export
of the data they
provided
Right to Portability
An individual can request
We have to:
96. Compliance in Practice:
Individuals’ Rights
A machine
readable export
of the data they
provided
Right to Portability
An individual can request
We have to:
Verify their
identity
Deal within
1 month
Provide for
FREE
98. Compliance in Practice:
Individuals’ Rights
Change their
mind about
consent
Withdraw Consent
An individual has an absolute right to
Ask us to stop
processing
We have to:
99. Compliance in Practice:
Individuals’ Rights
Change their
mind about
consent
Withdraw Consent
An individual has an absolute right to
Ask us to stop
processing
We have to:
Verify their
identity
STOP!
Processing
106. Compliance in Practice:
Accountability
Data
Controllers
Data
Processors
&
When we use third-parties to process our data we must:
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual
107. Compliance in Practice:
Accountability
Data
Controllers
Data
Processors
&
Us
Organisations who
process our data
When we use third-parties to process our data we must:
Only use
processors who
are compliant
Carry out due
diligence on all
third-party
processors
Put in place legal
contracts with
our third-parties
So be mindful that a processor could be a cloud service, software, as well as a company or individual
Make sure your Data Protection Lead knows about any third-parties you are using
111. Compliance in Practice:
Accountability
Data Protection Impact
Assessments (DPIA)
mean we have to
Consider data protection in everything we do
Carry out a DPIA every time we plan on doing something different with our
data
112. Compliance in Practice:
Accountability
Data Protection Impact
Assessments (DPIA)
mean we have to
Consider data protection in everything we do
Carry out a DPIA every time we plan on doing something different with our
data
It’s a risk assessment essentially: what’s the risk from the processing?
114. Compliance in Practice:
Accountability
Data Breaches
A personal data breach means a breach of security which leads to
the “accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to, personal data”.
115. Compliance in Practice:
Accountability
Data Breaches
This means that a data breach is more than your typical cyber-
security hacking incident. It can also include someone looking at
your data “over your shoulder”, accidentally deleting someone’s
data, loss of a device containing personal data, sending the wrong
person someone else’s data, etc.
116. Compliance in Practice:
Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).
117. Compliance in Practice:
Accountability
Data Breaches
The law says that if there is a risk to the Data Subjects we have to
tell the Information Commissioner (ICO) and if there is HIGH risk to
the Data Subjects we have to tell the Data Subjects too (so they
can protect themselves, e.g. from ID fraud).
We have 72 hours to report it!!!
120. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
So what does this mean in practice?
121. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation
So what does this mean in practice?
122. Compliance in Practice:
Accountability
Data Breaches
Make sure you know how to identify a breach
Make sure you know what to do if a breach
occurs
Make sure you tell whoever it is who is
responsible for data protection within your
organisation
DON’T ignore anything you suspect is a breach
So what does this mean in practice?
131. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
132. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
133. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)
134. There’s plenty of
examples of action
taken…
• Uber failure to secure data (£385,000 fine)
• Heathrow Airport for USB loss (£120,000 fine)
• GP Surgery Secretary for unlawful (unnecessary) access
• Bayswater Medical Centre for leaving medical records in
empty building (£35,000 fine)
• Gain Credit LLC failure to deal with subject access
request (enforcement notice – criminal penalty if ignored)
136. …but there’s one
case that stands out
& highlights wider
concerns
Morrisons Supermarket
137. Morrisons Supermarket
• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages
138. Morrisons Supermarket
• An employee stole payroll data and leaked it online – he’s now serving a prison
sentence
• Morrisons were vindicated of any wrong doing – it was the employees fault that
there was a breach, nothing to do with Morrisons’ compliance
• But the employees have been able to demonstrate they have suffered harm and
are suing Morrisons for damages
• It has been through various court proceedings and the courts have so far
concluded that Morrisons have “vicarious liability” meaning that whilst it wasn’t
their fault they have a duty of care to their employees who have suffered thanks
to the breach!
140. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
141. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
142. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
143. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
144. • Familiarise yourself with company data protection
policies✓
• Know what to do if someone asks for their data or
wishes to complain about how their data is being
used✓
• Make sure you ask your data protection lead if you
are unsure about a data protection issue or
whether it’s lawful to use data✓
• Make sure you pay attention to any internal
communications updating you on developments or
changes✓
If in doubt: ask the person
responsible for data protection