First Fine under GDPR

canstockphoto3157426

The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.

The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.

The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Doorstep Dispensaree has also been issued with an enforcement notice, under Section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:

Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.

After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.

These and other GDPR developments will be discussed in detail in our GDPR update workshop.

Author: actnowtraining

Act Now Training is Europe’s leading provider of information governance training with clients including government organisations, local authorities, multi national corporations, financial institutions and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

4 thoughts on “First Fine under GDPR”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: