I’m struggling to see why anyone thought exporting the Payroll Database and sending it outside to an Auditor was not a purpose limitation on sharing it. There work should have been carried out inside Morrison’s Security Realm.
Yes before GDPR fully came into legal force, but GDPR was a formalising of much long existing legislation.
Are the auditor not equally liable as Morrison’s ??