First fine under GDPR for data breach in the UK
210 days after the introduction of the General Data Protection Regulation (“GDPR”) in May 2018 (by the Data Protection Act 2018 (“DPA 2018”)) in the UK, the ICO issued its first fine on 20 December 2019 to Doorstep Dispensaree Limited for a sum of £275,000.
What is the GDPR?
The GDPR and DPA 2018 provides a legal framework for the collection, use, storage and dissemination of “personal data” and “sensitive personal data”. This legislation is there to protect your information and give you greater transparency over its use.
Organisations must keep your information safe, accurate, used in the way you have agreed, and not disclosed without your permission.
The GDPR was introduced to align data protection across the EU and the DPA 2018 replaces the previous DPA 1998 in the UK – they place greater obligations on how organisations control and process personal information in line with your legal rights.
More importantly the maximum penalty was increased to €20 million or 4% of global turnover, whichever is the greatest. Previously it had been capped at £500,000 in the UK.
Doorstep Dispensaree Limited
This is a London pharmacy company set up in 2015 which supplies medicines to both individuals and care homes.
The ICO were tipped off by the Medicines and Healthcare products Regulatory Agency who during their own investigation had found 47 unlocked crates, 2 disposal bags and 1 cardboard box full of about 500,000 documents containing data stored in a rear courtyard. The documents contained personal data (name, address, DOB, NHS number) as well as sensitive data (medical information and prescription), and was not secured or marked confidential. The ICO first contacted the company in August 2018 with their concerns.
In the Penalty Notice issued by the ICO, the fine of £275,000 was issued due to:
- Failure to implement appropriate organisational measures to ensure the appropriate security of the personal data it processes
- Processed personal data in an insecure manner
- Data being kept longer than was necessary
- Failure to provide data subjects with information required under Articles 13 and/or 14 of the GDPR (privacy notice)
The level of the fine was exacerbated by the following factors:
- Failure to co-operate with requests for information
- Outdated policies (most had not been updated since April 2015, i.e. prior to implementation of GDPR/DPA 2018)
- The documents were not secure and some had been water damaged
- The documents were not shredded (contrary their own policy at the time), with some documents dating back to 2016
- There was no retention policy at the time
- The breaches were negligent and repeated
- They did not self-report, the ICO were tipped off by another regulatory body
The ICO concluded that “the Breach was extremely serious, and demonstrates a cavalier attitude to data protection. The systemic nature of Doorstep Dispensaree’s data protection failures is underlined by the fact that its policies and procedures are outdated and inadequate.”
Previously since May 2018
You may recall that in July 2019 the ICO issued an intention to fine British Airways £183,039,000 for poor security measures which allowed personal data of about 500,000 customers (name, address, login in, payment card, and travel booking details) to be compromised.
Only a day apart, the ICO further issued an intention to fine Marriott International £99,200,396 for a cyber-attack in 2014 (but not discovered until 2018) compromising about 339 million guest records globally (about 7 million were UK residents).
Representations from both companies to the proposed findings and sanctions are currently being considered by the ICO before their final decision.
Elsewhere in the EU
The highest fine was imposed in France for €50,000,000 against Google for lack of transparency, inadequate information and lack of valid consent in advertising personalisation.
According to this website there has been around 150 fines imposed under the GDPR since its introduction in May 2018.
The ICO lists 103 enforcement action taken since January 2018 including 58 monetary penalties, 26 enforcement notices, 12 prosecutions and 7 undertakings.
A report published in February 2019 by the European Data Protection Board looking at the impact 9 months on since implementation of the GDPR found that 206,326 cases had been reported across the 31 countries in the European Economic Area. Fines imposed totalled about €56,000,000.
The ICO are keen to make an example of companies and are not shy to use the extra powers bestowed by the new legalisation in 2018. Consumers are also more alert to the value of their data and expect companies to be doing more to protect this valuable asset.
As the backlog of cases pre-2018 are concluded, the path is clear for more major fines to be imposed, especially as the ICO have now increased staffing to meet growing demands.
In their annual report published on 9 July 2019 covering the 12 months up to 31 March 2019, complaints have almost doubled from 21,019 to 41,661. There was also a 66% increase in contact through the helpline, chat and written advice services (471,224 from 283,727).
Companies should therefore not be complacent or wait until the ICO come knocking at their door before taking appropriate and adequate steps to protect the personal data of their customers.