In this episode, I visit with Jonathan Armstrong on the recent UK court of appeals decision in the Morrisons’ case. This decision stretched the limits of vicarious liability for a corporation to the absolute breaking point and has significant implications in the broader data privacy-data protection space. Jonathan and I go full lawyer-geek to discuss the legal theories, underlying facts and what it all may mean. Some of the issues and highlights are:

  1. The case is instructive for how to do (or perhaps not do) regular business under GDPR on data privacy.
  2. If a file is too large to email, it presents a higher data protection risk and must be so managed.
  3. Should you do risk assessments on individual employees around data privacy-data protection?
  4. How can vicarious liability exist for ultra vires conduct by an employee?
  5. How do you properly scope an investigation to ascertain an individual’s mindset?
  6. A company must require its vendors to exercise appropriate data protection and control.
  7. Will Morrisons apply to the UK Supreme Court for relief?

For a more detailed reading, see the Cordery Client alert, here. For more information on Cordery Compliance, go their website here. Also check out the GDPR Navigator, one of the top resources for GDPR Compliance by clicking here.