Morrisons appeals group litigation process in GDPR case

Morrisons supermarket is appealing a GDPR court case after a criminal breach made 100,000 people’s payroll details public. Details of salaries, bank details and National Insurance numbers were made public by a disgruntled employee who had legitimate access to the company’s entire payroll. Morrisons became the focus of a group litigation process – meaning 5,000 of the 100,000 workers affected by this data breach were able to sue their employer. The employee responsible has been sentenced to eight years’ imprisonment for unlawfully disclosing personal data; and fraud.

Morrisons is fighting the judgement saying that the original ruling was divergent from data laws. Their barrister says the firm is “completely innocent” in the event. They argue that under the Data Protection Act 1998 they are excluded from liability.

However, under GDPR laws, introduced earlier this year, there new provisions were introduced, to cover data security including the need to report a breach within 72 hours, to the Information Commissioner’s Office.