Morrisons Data Breach: GDPR Lessons On Preventing Employee Data Misuse

If you run a small business, it’s easy to think “data breaches” are a big-company problem.

But the Morrisons data breach is a classic reminder that some of the biggest risks can start internally - with a trusted employee, legitimate access, and a single bad decision.

The good news is you can do a lot to reduce the chance of employee data misuse, and you can put a clear plan in place so you’re not scrambling if something goes wrong. Below, we break down what happened in the Morrisons case (at a high level), what UK GDPR expects of businesses, and the practical steps you can take to protect your business from day one.

What Was The Morrisons Data Breach (And Why Does It Matter To Small Businesses)?

The Morrisons data breach is often discussed because it involved an “insider” - an employee who had legitimate access to personal data through their role and then misused it.

At a simple level, the core lesson for businesses is this:

• External hackers aren’t the only threat. Internal misuse (whether malicious or accidental) can cause major harm.
• “We trusted them” isn’t a legal defence. UK GDPR expects you to take appropriate steps to protect personal data, including from internal risks.
• When personal data is exposed, you may face multiple pressures at once - regulatory reporting, employee relations issues, customer/worker trust issues, and potentially legal claims.

If you employ even a small team, you’re likely handling personal data such as:

• staff records (contact details, bank details, NI numbers, payroll information);
• customer details (names, addresses, emails, order history);
• supplier contacts; and
• website user data (analytics, enquiries, marketing lists).

That’s enough for an internal data incident to become a serious business problem - even if you’re not a tech company.

Does UK GDPR Make Your Business Liable For An Employee’s Misuse Of Data?

This is where the Morrisons case creates a lot of concern for employers: “If an employee goes rogue, are we automatically liable?”

There are a few legal layers here, and it helps to separate them.

1) Your UK GDPR Obligations As A Controller Still Apply

Under the UK GDPR and the Data Protection Act 2018, if your business decides why and how personal data is processed, you’re usually acting as a data controller.

Controllers must implement appropriate technical and organisational measures to protect personal data. This includes protecting it from:

• unauthorised access;
• accidental loss or destruction;
• alteration; and
• unauthorised disclosure.

So even if the incident is caused by a malicious employee, regulators (and often affected individuals) will still look at what you did to prevent it - and how you responded once you found out.

2) “Vicarious Liability” Can Be A Real Risk (But It’s Not Automatic)

Separate from UK GDPR, there’s also the concept of vicarious liability in UK law. In broad terms, this is where an employer can be held responsible for the acts of an employee carried out “in the course of employment”.

It’s important to be clear about the Morrisons outcome: in WM Morrison Supermarkets plc v Various Claimants (2020), the Supreme Court held Morrisons was not vicariously liable on the specific facts, because the employee was acting on a “frolic of his own” rather than in the course of his employment.

That said, the takeaway for small businesses isn’t to get lost in legal theory - it’s to recognise that:

• an internal data misuse incident can still lead to regulatory scrutiny and claims, even if you didn’t authorise it;
• vicarious liability is fact-specific, so you can’t assume you’ll be protected just because the employee acted maliciously; and
• your prevention measures and your evidence (policies, access controls, audit logs, investigations) may make or break your position.

If you want to keep things practical: plan on the basis that an employee misuse incident can still create serious legal, regulatory and reputational consequences for your business - and prepare accordingly.

GDPR Lessons From The Morrisons Data Breach: What “Appropriate Measures” Looks Like In Practice

UK GDPR doesn’t give every business a one-size-fits-all checklist. Instead, it expects measures that are “appropriate” to your risks, size, and the nature of the data.

For small businesses, “appropriate measures” often means getting the fundamentals right and being able to prove you’ve done it.

1) Control Who Has Access (And Why)

Many employee misuse incidents start with a simple issue: too many people can access too much data.

Consider putting these controls in place:

• Role-based access (only staff who need the data to do their job can access it).
• Least privilege (access is limited to the minimum needed, and removed quickly when roles change).
• Separate admin accounts from day-to-day accounts (so powerful permissions aren’t used casually).
• Joiner / mover / leaver process (a clear process for granting, changing, and revoking access).

This is the kind of practical step that can drastically reduce the damage any one person can do.

2) Make Data Handling Rules Clear (And Written Down)

If you’re ever challenged after an incident, it helps enormously to show you had clear rules in place - and that employees were trained on them.

Common documents that help here include:

• an Acceptable Use Policy (covering business systems, email, downloads, removable media, cloud tools, and personal device use);
• a staff Workplace Policy suite (setting expectations and disciplinary consequences); and
• strong confidentiality clauses in each Employment Contract.

These documents should not just exist in a folder somewhere. They need to be communicated, easy to understand, and backed up by real processes.

3) Train Your Team (And Refresh Training)

Training sounds basic, but it’s one of the first things regulators and lawyers ask about after a breach.

For small businesses, a good training baseline often includes:

• what personal data is (and examples relevant to your business);
• how to spot “red flags” (unusual downloads, emailing spreadsheets to personal accounts, unauthorised sharing);
• how to report concerns immediately; and
• what happens if data is mishandled (disciplinary action, termination, and potentially legal consequences).

Keep a simple record of training completion. If something goes wrong later, that record can be critical.

4) Monitor Sensibly (Not Secretly)

Some employers respond to insider risk by over-monitoring, which can backfire - creating morale issues and legal risk if you monitor unlawfully or without transparency.

Instead, aim for proportionate and transparent monitoring, with clear rules and a lawful basis. This might include audit logs in key systems, alerts for bulk exports, and limited checks where there’s a genuine concern.

The key is to align monitoring with your policies and data protection obligations, so you can justify what you’re doing and why.

5) Get Your Privacy Documentation Right

Even the best security controls won’t eliminate risk. If an incident happens, you’ll be judged partly on whether you were compliant before it occurred.

For many small businesses, this starts with:

• a clear Privacy Policy (covering how you collect, use, store, and share personal data); and
• a broader GDPR compliance approach such as a GDPR package tailored to your actual data flows (customers, staff, marketing, suppliers).

This is especially important if you’re collecting data through online forms, email marketing, eCommerce, or any kind of membership/subscription model.

How To Respond If An Employee Misuses Data: A Step-By-Step Plan

If you ever discover (or suspect) employee misuse of personal data, your first few hours matter. The aim is to contain the risk, preserve evidence, meet your legal obligations, and protect your business.

A practical response plan often looks like this.

Step 1: Contain The Breach Immediately

• Remove or suspend access to the systems involved (but avoid tipping off the employee if that could worsen the situation - get advice).
• Secure devices and accounts (laptops, email accounts, cloud storage access, shared drives).
• Stop further disclosure (for example, remove leaked documents from public links where possible).

Be careful here: how you handle containment can impact employment law obligations and evidence integrity.

Step 2: Preserve Evidence (Without Overstepping)

You’ll want a clear factual picture of what happened. That might include:

• audit logs (downloads, exports, access times);
• emails and file transfer records;
• device logs (where available); and
• witness accounts or internal notes.

Preserving evidence supports your regulatory reporting, your internal disciplinary process, and your ability to defend claims if they arise.

Step 3: Assess Whether This Is A “Personal Data Breach” Under UK GDPR

A “personal data breach” under UK GDPR is broadly a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Employee misuse often does fall into this category, but you still need to assess:

• what data was involved (names, addresses, bank details, health data, payroll data, etc.);
• how many individuals are affected;
• the likely harm to individuals (financial harm, identity fraud, distress, safety risks); and
• what containment steps have already reduced the risk.

Step 4: Decide Whether You Need To Report To The ICO (And Notify Individuals)

If the breach is likely to result in a risk to the rights and freedoms of individuals, you may need to report it to the ICO within 72 hours of becoming aware of it.

If the breach is likely to result in a high risk to individuals, you may also need to notify the affected individuals without undue delay.

This decision is often nuanced. Reporting too late (or failing to report when required) can create extra regulatory risk. Reporting when it’s not required can also create reputational issues and operational stress. This is one of those points where getting tailored advice early can really help.

Step 5: Manage The Employment Side Properly

If you suspect deliberate misconduct, it’s tempting to move straight to dismissal. But even in serious cases, you should follow a fair process and align your actions with your disciplinary procedures.

Practical steps might include:

• suspending the employee on full pay while you investigate (where appropriate);
• running a proper investigation and documenting findings;
• holding disciplinary meetings and offering the right to be accompanied; and
• ensuring decisions are consistent with your internal policies and contract terms.

This is also where strong, clear workplace documentation helps. If your policies are vague or inconsistent, it becomes harder to take confident action and defend it later.

Step 6: Review And Strengthen Controls After The Incident

After any incident, you should treat it as a prompt to improve your “organisational measures”. This might include:

• tightening access permissions;
• adding approvals for exporting sensitive datasets;
• strengthening offboarding processes;
• updating training content; and
• reviewing third-party processors and cloud tools.

Having a structured Data Breach Response Plan is one of the simplest ways to ensure you don’t miss key steps when it’s stressful and time-critical.

Preventing Insider Data Breaches: A Practical Checklist For Small Businesses

If you want a straightforward way to reduce your insider risk, here’s a checklist you can work through. You don’t need to implement everything overnight - but you do want a clear plan and priorities.

Governance And Policies

• Put in place an Acceptable Use Policy and ensure staff confirm they’ve read it.
• Implement clear disciplinary rules for misuse of data and business systems.
• Include confidentiality and data protection clauses in employment agreements.
• Ensure your privacy documentation matches what you actually do with data.

Access And Security

• Limit access to personal data by role and job need.
• Use multi-factor authentication (MFA) for key systems where possible.
• Log access to sensitive files and systems (even basic logging helps).
• Review access regularly (especially after role changes).

People And Culture

• Run onboarding privacy and security training.
• Refresh training at least annually (or when processes change).
• Encourage reporting of mistakes early (you’ll contain issues faster).
• Have a clear internal reporting channel for concerns.

Incident Readiness

• Maintain an up-to-date incident response plan and contact list.
• Know what systems hold personal data and who administers them.
• Keep templates ready for internal comms and external notifications.
• Know when you might need to report to the ICO within 72 hours.

It can feel like a lot - but most of these steps are about building repeatable habits and simple controls, not expensive enterprise security tools.

Key Takeaways

• The Morrisons data breach is a strong reminder that insider risk is real - even a trusted employee with legitimate access can misuse personal data.
• Under UK GDPR and the Data Protection Act 2018, your business still needs appropriate technical and organisational measures to protect personal data, including against internal misuse.
• In the Morrisons litigation, the Supreme Court found the employer was not vicariously liable on the facts - but insider incidents can still trigger ICO scrutiny and other claims, so prevention and evidence matter.
• Practical prevention starts with limiting access, clear policies, confidentiality terms in contracts, and regular staff training.
• If an incident happens, move quickly: contain the breach, preserve evidence, assess reporting duties (including the 72-hour ICO window), and manage the employment process fairly.
• Having the right documents in place - such as a Privacy Policy, workplace policies, and an incident response plan - helps you respond confidently and show compliance.

If you’d like help tightening your data protection compliance, preparing for breach response, or updating staff policies and contracts, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.