Companies are being urged to study the detail of the first GDPR penalty issued by the UK Information Commissioner’s Office to ensure they learn from the case after London pharmacy Doorstep Dispensaree has been fined £275,000 for failing to ensure the security of special category data.
While British Airways and Marriott International await their fate, having been issued with "notices of intent" in July over fines totalling £282m, Doorstep Dispensaree has the dubious honour of being the first UK company to have actually been hit with a monetary penalty under the new regime, which came into force in May 2018.
Even so, the fine does show that GDPR penalties are not set in stone; Doorstep Dispensaree had originally been slapped with a notice of intent of £400,000 but had its fine cut after making "representations" to the regulator.
The company, which supplies medicines to individuals and care homes, claims on its website that it is "your reliable pharmacy partner you can trust". However, the investigation found 500,000 documents in unlocked containers at the back of its premises in Edgware. London.
The documents, dated between June 2016 and June 2018, included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. Some of the documents had not even been protected against the elements and were therefore water damaged.
Processing special category data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is one of the key tenets of GDPR.
The ICO was alerted to the issue by the Medicines & Healthcare Products Regulatory Agency, and then launched its own separate investigation.
The fine was imposed under Section 155 of the Data Protection Act 2018, which implements GDPR. In setting the fine, the ICO considered the contravention only from 25 May 25 2018, when GDPR came into effect.
Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the offence and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.
Commenting on the penalty, Mishcon de Reya data protection specialist Jon Baines said: "All organisations should read the penalty notice carefully – it will contain much to guide them on what bad practice looks like, and how it might result in a hefty fine."
Eversheds Sutherland partner and global co-lead of privacy and cyber security law Paula Barrett said there are likely to be many organisations for which the secure disposal of personal data is an ongoing operational concern, particularly those businesses which have a large number of smaller premises, where centralised controls are more difficult to implement.
She added: “The final amount of the penalty notice was reduced following the initial notice from £400,000 to £275,000, so it appears some consideration was given to representations made.
"[However] as well as a fine, they also have further remediation work to undertake, so there is, in fact, a combination of tools in the ICO armoury being deployed here. Remediation effort costs could outweigh the fine itself."