Morrisons were following the guidelines they were told they had to implement by KPMG. The ICO said the only other thing they could have done was have tools in place that would have alerted them that Skelton had copied the data on to an unencrypted USB which, because of the job he held, would not have raised alarm bells quick enough to prevent the leakage of the data. Skelton's entire job was handling sensitive data. They did not do anything worth being fined for under DPA or GDPR