Morrisons Data Breach: Lessons And Actions Under UK GDPR

You’ve probably heard about the Morrisons data breach a few years back – a rogue insider leaked payroll data for thousands of staff and triggered years of litigation. Even though Morrisons ultimately avoided liability for that individual’s criminal act, the case is a powerful reminder for small businesses.

Why? Because under UK GDPR and the Data Protection Act 2018, your business still carries clear obligations to secure personal data and to respond properly if something goes wrong. The best time to act is before a breach – with the right policies, contracts and processes in place, you’ll massively reduce your risk and be protected from day one.

In this guide, we unpack the Morrisons data breach at a high level and translate it into practical steps you can apply in your small business right now.

What Happened In The Morrisons Data Breach?

In 2014, a Morrisons employee with legitimate access to payroll information stole and published personal data of around 100,000 staff. The information included names, addresses, bank details and salaries. Claimants brought a group action, arguing Morrisons was responsible for the damage caused.

The UK Supreme Court later held that Morrisons wasn’t vicariously liable for the employee’s actions because the disclosure wasn’t closely connected to his authorised duties – it was a personal vendetta unrelated to Morrisons’ aims. That said, the Court didn’t loosen data protection standards for businesses. The legal duties to protect personal data still apply – and the ICO can investigate and take action where security measures are inadequate.

The real lesson for SMEs isn’t about court technicalities. It’s this: insider threats are real, legitimate access can be misused, and you need layered safeguards to meet your UK GDPR obligations and protect your business.

Why The Morrisons Case Matters For SMEs

Many small businesses assume data breaches come from sophisticated hackers. In reality, insider incidents (malicious or accidental) are common: misdirected emails, overshared documents, weak access controls, or an unhappy staff member downloading data they shouldn’t.

The Morrisons breach shows how quickly things can spiral if personal data is exposed at scale. For small businesses, the impacts can be even more serious:

• Regulatory risk: UK GDPR and the Data Protection Act 2018 require appropriate technical and organisational measures; failure can lead to ICO enforcement and fines.
• Financial risk: Legal costs, forensic work, customer support and potential compensation can be significant.
• Reputational harm: Trust is hard to win and easy to lose – especially for growing brands.
• Operational disruption: Systems and processes may need to be paused, reworked or rebuilt under time pressure.

The good news: practical steps – many of them low-cost – can drastically reduce your exposure. The rest of this guide sets out what those steps look like in plain English.

Your Core UK GDPR Duties In Plain English

UK GDPR sets out principles for handling personal data and expects you to be able to show how you comply (“accountability”). At a minimum, most small businesses should understand and implement the following:

Know What You Collect And Why

• Map your data: What personal data do you hold (customers, employees, suppliers)? Where is it stored? Who can access it? For how long?
• Lawful basis: Be clear about your legal grounds for processing (e.g. contract, consent, legitimate interests) and document your reasoning.
• Minimise: Only collect what you need – reducing the volume of data reduces risk.

Be Transparent

• Tell people what you do with their data in a clear, accessible Privacy Policy.
• If you use cookies or similar tracking, provide a compliant banner and a clear Cookie Policy, and respect opt-in rules where required (PECR).

Secure The Data (Article 32 Security)

• Appropriate security: Use layered controls – strong passwords, multi-factor authentication, encryption, device management and secure backups.
• Access controls: Apply the “least privilege” principle – staff should only access the data they genuinely need.
• Supplier due diligence: If third parties process data for you (cloud tools, payroll, marketing platforms), have a proper Data Processing Agreement in place and check their security.

Manage Data Sharing And International Transfers

• Data sharing: If you share personal data with another independent organisation, use a Data Sharing Agreement to define roles and responsibilities.
• Transfers: If data leaves the UK, ensure you have valid safeguards (e.g. UK Addendum to the EU SCCs) and do a transfer risk assessment.

Respect People’s Rights

• Subject access: You must respond to data subject access requests within one month. Set up a repeatable process and track DSAR deadlines.
• Other rights: Rectification, erasure, restriction, portability and objection – know how to recognise and handle these.
• Retention: Don’t keep personal data longer than necessary – create a simple policy guided by sensible data retention periods.

Prepare For The Worst

• Incident readiness: Maintain a practical, step-by-step Data Breach Response Plan and test it.
• 72-hour rule: If a breach risks people’s rights and freedoms, you may need to notify the ICO within 72 hours and, in some cases, affected individuals.
• Record-keeping: Maintain a breach log even for incidents you don’t notify.

Practical Steps To Reduce Insider Risk

Insider risk isn’t just malicious actors – it includes well-meaning team members who make mistakes. Here’s how to build an environment where misuse is harder and mistakes are less damaging.

1) Limit What People Can See And Do

• Role-based access: Set permissions by role, not person. New hires should start with minimal access and scale up as needed.
• Segmentation: Keep HR, finance and customer data in separate systems or spaces; avoid “everyone can see everything.”
• Offboarding: Immediately revoke access when staff leave or change roles.

2) Make Secure Tools The Default

• Approved platforms: Choose reputable cloud services with strong security, and understand whether tools like Google Drive can be used in a GDPR-compliant way.
• Device controls: Use screen locks, disk encryption, remote wipe and MDM on laptops and mobiles. Restrict syncing of sensitive folders to personal devices.
• Email safety: Enable outbound email warnings for external recipients and consider DLP (data loss prevention) rules for payroll keywords and attachments.

3) Train And Test

• Onboarding: Teach privacy by design from day one – what counts as personal data, what’s confidential, and when to escalate concerns.
• Refreshers: Run brief, regular training with examples relevant to your business (e.g. correct handling of ID documents, payroll files).
• Phishing drills: Simulate basic phishes; coach people who click, rather than blame. Culture matters.

4) Set Clear Rules (And Enforce Them)

• Policies: Put practical, readable rules in place – bring-your-own-device, acceptable use, remote work and a simple social media policy. A short set of workplace confidentiality policies can anchor your culture.
• Monitoring with care: If you monitor systems, make it proportionate and lawful, tell staff, and document your impact assessment.
• Speak up channels: Encourage reporting of mistakes early; a blame-free culture helps you contain issues fast.

5) Reduce The Blast Radius

• Pseudonymise where possible: Replace names with IDs in reports or exports.
• Strip unnecessary fields: Don’t include bank details if you only need a name and employee number.
• Use expiring links and access: Share files with time-limited links and disable downloads for sensitive views where feasible.

How To Respond If You Suffer A Data Breach

If something goes wrong, move quickly and keep a cool head. A well-rehearsed plan saves time and stress.

Step 1: Contain And Secure

• Isolate the issue: Revoke compromised accounts, disable sharing links, lock down affected folders or systems.
• Preserve evidence: Don’t delete logs or emails – you’ll need them for investigation and, if relevant, ICO reporting.

Step 2: Assess The Risk

• What data? Identify the categories (e.g. names, emails, bank details, health information) and volume of personal data involved.
• Who is affected? Employees, customers, suppliers? Are any vulnerable individuals involved?
• Impact likelihood: Could the incident lead to identity theft, financial loss, discrimination, or distress?

Step 3: Decide On Notifications

• ICO notification: If there’s a risk to people’s rights and freedoms, notify the ICO within 72 hours of becoming aware – include the nature of the breach, likely consequences and measures taken or proposed.
• Notify individuals: If the risk is high, tell affected people promptly and in clear language with steps they can take (e.g. password resets, bank alerts).
• Document everything: Even if you don’t notify, record your risk assessment and reasoning in your breach log.

Step 4: Remediate And Learn

• Fix root causes: Patch systems, tighten permissions, update training, or amend policies to address the gaps you found.
• Follow-up tasks: Consider whether suppliers need to be engaged under your Data Processing Agreement for forensics or notifications.
• Update documentation: Improve your Data Breach Response Plan so you’re better prepared next time.

It’s completely normal to feel overwhelmed during an incident. Having clear playbooks, templates and contact lists prepared makes all the difference when the clock is ticking.

Key Documents And Policies To Put In Place

Templates you find online often miss critical details like your specific data flows, roles, processors and retention rules. Getting your foundations tailored to your operations will protect your business and speed up responses when it counts. As a starting point, most SMEs should consider:

• Privacy Policy (GDPR-compliant) – explain your data practices clearly for customers, staff and other stakeholders. A well-drafted Privacy Policy is essential.
• Data Processing Agreement – for any supplier handling personal data on your behalf (cloud storage, payroll, marketing platforms). Put your DPA in place before onboarding.
• Data Sharing Agreement – if you share data with other controllers (for example, a JV partner or a franchise network), a clear Data Sharing Agreement sets out responsibilities.
• Data Breach Response Plan – step-by-step actions, roles, contact lists and email templates; a tested incident plan shortens your recovery time.
• Cookie Policy and consent mechanism – align your tracking with PECR and UK GDPR using an accurate Cookie Policy and compliant banner.
• Internal policies – straightforward rules on acceptable use, BYOD, remote work, password management, retention and breach reporting anchored by concise confidentiality policies.
• DSAR process – a checklist and template responses so you can hit subject access request deadlines without scrambling.

If you collect special category data (e.g. health information) or monitor staff in higher-risk ways, consider a data protection impact assessment (DPIA) and additional safeguards. It can be hard to know what’s proportionate – getting tailored advice will help you hit the right balance.

Key Takeaways

• The Morrisons data breach highlights insider risk: legitimate access can be misused, so rely on layered security and least privilege, not trust alone.
• UK GDPR still expects you to protect personal data with appropriate technical and organisational measures, regardless of the Supreme Court’s finding on vicarious liability in that case.
• Focus on basics done well: data mapping, lawful basis, transparency, strong access controls, supplier DPAs, retention rules and clear internal policies.
• Prepare for incidents with a practical Data Breach Response Plan, including roles, checklists and templates so you can meet the 72-hour ICO notification window when required.
• Build a privacy-first culture: short, regular training, easy reporting of mistakes, and proportionate monitoring that’s transparent and documented.
• Get your key documents in place – Privacy Policy, Data Processing Agreement, Data Sharing Agreement, Cookie Policy and DSAR procedures – tailored to your business, not just generic templates.

If you’d like help reviewing your risks, drafting the right data protection documents, or building an incident response plan tailored to your operations, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.