Data takeaway – GDPR 100 days on

With GDPR, the focus of businesses is always upon malicious outsiders seeking to cause damage.  However, what about malicious insiders?  Or merely naïve employees who don’t understand the harm in what they’re doing?

We are now just over one hundred days from the introduction of the GDPR and the Data Protection Act 2018 (DPA).  Despite all the fanfare in the run up to May 25th, the sky does not seem (yet) to have fallen in.  The issue has not gone away and for businesses that haven’t yet put new systems in place they should do so as soon as possible.  The UK regulator, the ICO, reported receiving 1,750 data-breach notifications after GDPR was brought in, which was a 338% increase  over the monthly rates for March and April 2018.

Preventing data breach is a major objective of the new regime, with the potential for painful fines of up to 4% of turnover being imposed on organisations that have not taken proper measures to prevent breach occurring.  Much of the debate in this area focuses upon cybercrime ie outsiders hacking into inadequately protected systems to prevent loss.  The focus is always upon malicious outsiders seeking to cause damage.  However, what about malicious insiders?  Or merely naïve employees who don’t understand the harm in what they’re doing?

Bad Apples?

You may think that your organisation does not contain any such people. But what about the disgruntled employee or, even more likely, the disgruntled ex-employee who is leaving the business to join a competitor or to set up in competition?

Employers may find that actually the biggest cyber security threat they face isn’t from outsiders at all but is from departing employees.   Some may look to either cause disruption to the business when they leave or to gain a competitive advantage by downloading their employer’s databases. They may make off with business plans and other confidential information and intellectual property.

A prudent employer will ensure that its contracts of employment and staff handbook set out very clear policies on the return of company property and data.  These should make it absolutely clear that company data belongs to the company and is not to be retained or disclosed by the former employee.

A well drafted contract of employment should contain a comprehensive clause on confidentiality and return of company property, which will include data in all its forms..  For those senior employees that are client facing it would also be worth considering including restrictive covenants in their contracts of employment to protect the company’s interests after they leave. This could include non-competition clauses, non-solicitation of customers and non-solicitation of employees.

The remedy for breach of contract, whether clauses in respect of confidentiality or restrictive covenants can include obtaining an injunction against the offending ex-employee to get them to deliver up the data they have retained (and maybe misused) and also to restrain them using your data to get a leg up in their new business.  That is sometimes known as a spring board injunction. However, such remedies are expensive to obtain and are not guaranteed always to be success.  The law on restrictive covenants is difficult and there is always the business of proving that the restrictions were reasonable in the first instance.

Criminal sanctions are available

One overlooked remedy is available under the Data Protection Act 2018 because that created several criminal offences which can be pursued before the Criminal Courts in England and Wales.  An employee who is convicted of one of these offences will then have a criminal record and can be subjected to an unlimited fine.

Perhaps the most relevant offence which might be committed in this situation is that created by Section 170(1) of the Act which provides that it is unlawful to obtain, disclose or procure the disclosure of personal data without the data controller’s consent.  That is an offence which can be tried either in the Magistrates Court or the Crown Court.

Under the Section 170(4) it is also an offence to sell data obtained without the data controller’s consent. In order to comply with the GDPR and the DPA 2018 it is highly unlikely that the data controller would ever give that consent. The prosecution can only be commenced by the Information Commissioner and a private prosecution would require the approval of the Director of Public Prosecutions.

Reporting to the ICO?

Therefore, for an employer looking for a remedy against a disgruntled ex-employee reporting that individual to the ICO would be the way forward. And it would then of course mean handing over control of the investigation and subsequent process to the ICO. That means the employer is no longer in control of what is happening and it does not mean that the data that the employee has taken will be quickly returned.  There is also the possibility that in referring the matter to the ICO, difficult questions might be asked of the employer to find out how it was possible for the employee to make off with the data in the first place.

Train staff: update policies

It would therefore be advisable for employers to ensure that their staff are trained on the risks posed in taking data away and to ensure that staff handbooks or cyber security policies to warn of the risks, including that of criminal sanction on the employee personally. Only the most hardnosed employees would surely risk the threat of a criminal record for just taking some names and email addresses?