Data Protection: First UK GDPR fine

Data Protection: First UK GDPR fine


In late December the UK Data Protection Authority, the Information Commissioner’s Office (ICO), announced its first fine under GDPR. The fine was at the lower end of the scale after Doorstep Dispensaree Ltd., a company running a pharmacy based in Edgware in London, was fined £275,000. The ICO also issued an Enforcement Notice against the company requiring it to undertake a program of work to improve its data protection compliance within 3 months.


What was this about?


Under GDPR, organisations are obliged to put in place adequate technical and organisational measures (TOMs) to prevent unauthorised access to personal data. In this case Doorstep Dispensaree left 500,000 documents exposed showing names, addresses and medical information in unlocked containers in a courtyard at the back of its premises. Whilst there seems to have been no evidence of the data having been taken, the ICO felt that the pharmacy had not put adequate TOMs in place.

In July 2018 the ICO received a referral from the Medicines and Healthcare products Regulatory Agency (MHRA) which was conducting its own enquiry into the pharmacy’s alleged unlicensed and unregulated storage and distribution of medicines. The MHRA found 47 crates, two disposal bags and one cardboard box with documents containing personal data in unlocked containers at the back of the pharmacy’s premises. The MHRA seized the documents and put them in secure storage. The MHRA subsequently discontinued its investigation.


What did the ICO say?


Steve Eckersley, Director of Investigations at the ICO said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

The ICO also issued an enforcement notice against Doorstep Dispensaree on 17 December 2019. As well as the data breach, the ICO said that it was concerned that the company had inadequate data protection policies and procedures in place. One of the ICO’s concerns was that policies had not been updated since 2015. The ICO also had concerns about the company’s privacy policy. It must improve its data protection practices within three months or face further penalties. The measures required by the Enforcement Notice include:

  1. Updating its data protection policies and procedures
  2. Appointing a member of staff as a DPO or Information Governance Lead
  3. Mandatory training for all staff within the next 6 months with regular refreshers at least once every 2 years; and
  4. Updating the privacy policy

The company must also provide evidence to the ICO that those step

Subscription Form

Related Articles:
Latest Articles:

Already a subscriber? Login
RELX (UK) Limited, trading as LexisNexis, and our LexisNexis Legal & Professional group companies will contact you to confirm your email address. You can manage your communication preferences via our Preference Centre. You can learn more about how we handle your personal data and your rights by reviewing our  Privacy Policy.

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login

About the author:

Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counselled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multi-national corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).

Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and appeared on BBC News 24 as the studio guest on the Walport Review.

In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, the Middle East and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology, risk and governance matters for more than 20 years. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.

Jonathan is a Solicitor of the Senior Courts of England & Wales. In addition Jonathan is admitted as a Solicitor (non-practising) in Ireland.