This came as a bit of a surprise to me, but am assuming that Morrison’s couldn’t demonstrate that they’d put sufficient controls around unauthorised access to/use of the data.

It is also interesting to see how this sets a precedence for GDPR enforcement when it is tested. Hopefully it will get companies to think more about the effectiveness of controls, rather than taking a tick-box approach to security.