First fine issued under GDPR !
The ICO has confirmed that the first fine to be levelled against a business for an offence under GDPR, has been issued to Doorstep Dispensaree Ltd, a pharmacy based in Edgeware.
Whilst intention to fine notices remain in force against British Airways and Marriott International for fines in the millions, the fine of £275,000 issued to Doorstep Dispensaree in December 2019; becomes the first of its kind under the new GDPR regime.
What’s the story ?
The ICO were alerted by a sector regulator that the Pharmacy were not handling hard copy medical records in a secure or appropriate manner.
The subsequent investigation by the ICO found paper records stored insecurely in a rear yard, which was accessible via a fire escape from flats above the premises and exposed to deterioration by the weather. The records dated back over a number of years and contained personal data (including medical information) on thousands of individuals.
In addition to the failure to hold this data securely, the ICO enforcement notice also noted that the Pharmacy had initially been unresponsive to its requests for information, had inadequate Privacy Notices and had failed to follow its own policies for the secure destruction (Shredding) of personal data exceeding acceptable retention times.
So, what can we learn from this ?
Apart from the obvious lessons in the importance of handling personal data in a secure fashion, the investigation details clearly show that the scale of fine took into account the general lack of compliance across a range of legal requirements under GDPR and should you be investigated all aspects will be looked at.
This may now indicate what can be expected going forward in terms of penalties for not generally complying with the law. In this particular case, no personal data was reported as being illegally accessed or stolen, (unlike a typical hacking breach). The ICO recently fined DSG Retail Group £500,000 for a breach which occurred prior to GDPR implementation, in which large volumes of their customers financial details were hacked. This was the maximum fine possible under the previous regime, so the fine levelled at Doorstep Dispensaree in context, shows an intent to use the new penalty regime to full effect. Whilst not in its millions, this scale of fine would be devastating for many SME’s.
Worthy also to note here, the Pharmacy did not come under the spotlight of the ICO due to a reportable data breach or high profile hacking event. Their poor practises concerned a visiting inspector from a sector body; who recognised this as a breach of Data Protection law and notified the ICO. This could happen to any business and concerns could even be raised by their own staff.
Don’t ignore the legal requirements set out under GDPR and become the next business to make the headlines !