Data Breach Compensation: The New PPI?

By Philip Brining

The decision in the High Court relating to the theft and publishing of the supermarket giant Morrison’s payroll data by a rogue employee throws up interesting points about liability in the event of data loss.

In December 2017 Mr Justice Langstaff ruled that the technical and organisational controls in place to guard against data loss were sufficient for Morrison’s to not be primarily responsible for the leak but that they were vicariously liable for the actions of their employee. The judgement was critical of over-retention of data by Morrison’s but ruled that in permitting [Mr] Skelton to have the data Morrison’s were not in breach of the 7th data protection principle and that no reasonable controls additional to those already in place would have prevented [Mr] Skelton’s criminal misuse of the employee data . We must deduce that as there was no breach of the 7th data protection principle it seems unlikely that the ICO will fine Morrison’s and we await with interest the next step in this saga noting with a shudder that if compensation is awarded to the employees against Morrison’s, it could run to £ millions given the volume (100,000) of records that were misused.

While this is the first time in UK legal history that a class action has been brought against a data controller for data breach, it is not the first time that compensation for distress brought about by unlawful processing of personal data has been awarded (see Woolley v Akram and Google v Vidall Hall). In Woolley v Akram the plaintiffs were awarded £8,500 each!

We have been stressing for some time that compensation will create a huge pressure on organisations to comply with the GDPR which is likely to be more effective than the fines regime and we have been predicting for many months that data breach compensation will be the new PPI. To emphasise the point just take 25 seconds to Google “data leak lawyers” … but make sure you are sitting down first!

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021