In the first case of its kind, prosecution by the Information Commissioner’s Office (ICO) has led to an employee being handed a jail term due to their misuse of customers’ personal information. It is the latest story that should highlight to organisations the importance of paying heed to the new data protection regime under the much-publicised General Data Protection Regulation (GDPR).

What implications does this development have for your firm?

Such has been the level of media coverage given to the GDPR that every business should be mindful of their responsibilities with regard to their customers’ data. Not all employees appear to be well-versed in such requirements, however, given the results of the recent prosecution brought by the ICO, which show the public body’s determination to enforce the law in this area.

The case in question involved K, a worker for a car accident repair firm who used a co-worker’s login information to access a software system containing the names of customers, contact details and information about their vehicles and accidents. His use of the login continued after he moved to a different company, with his original employer ultimately informing the ICO following an increased number of complaints about nuisance calls.

However, while the ICO usually brings prosecutions under the Data Protection Act 1998/2018 (DPA), the serious nature of K’s offending led him to be charged with deliberately accessing data on a secure system without authorisation – i.e. hacking – under s.1 Computer Misuse Act 1990. After pleading guilty, he was sentenced to six months in prison.

Could you be liable for the actions of a wrongdoing employee?

You may not consider that as an employer, you could be held responsible for illegal behaviour by a rogue employee. In 2018, however, the Court of Appeal upheld a decision that a retailer was vicariously liable for a disgruntled worker causing a malicious data breach by sharing the personal details of colleagues online. This leaves the retailer open to compensation claims from the data subjects.

While the penalties that can be imposed in accordance with the DPA are merely financial, they can be extremely high, amounting to as much as £17 million or 4% of the data controller’s global turnover – whichever is greater.

So, what steps can you take to shield your business from harm?

An employee intent on breaking the law may seem difficult to stop, but there are still certain measures that responsible companies can adopt, including to be better enable the colleagues and managers of any wrongdoers to identify suspicious activity. Such steps can also demonstrate that your firm has complied with its obligations to protect sensitive data.

To this end, you should make sure all of your personnel with personal data are aware of what they are permitted to do with it. There should also be arrangements in place to detect, investigate and act on possible breaches.

GDPR breaches are more common than many employers may imagine, a recent survey having found that a large proportion of workers were already guilty of this simply as a consequence of forwarding customer/client emails to their personal email accounts.

If, with these measures in place, your organisation does suspect a personal data breach, you should check the ICO’s website to determine whether it needs to be reported. The ICO has issued new guidance to businesses on their data protection obligations, including a self-assessment tool to enable them to check their current level of legal compliance.

London Registrars provides not only the complete professional company formation service, but also other forms of business support. Contact our informed and experienced team today if you would appreciate further advice and guidance as to how you can familiarise your staff with their data protection responsibilities, while also putting in place other measures for ensuring your business’s continued compliance with the law.


June 2019