Author of this post: Ciara Fitzgerald, Head of Legal at Ward Solutions
The ICO has applied its first GDPR fine (yes, really – all the previous news you heard about the ICO and fines were merely notifications of intentions to fine!). Doorstep Dispensaree Limited has become the first GDPR victim with a fine of £275,000 being levied on 17th December 2019. That might seem like small change in comparison to the eye-watering sums that the Marriott Group and British Airways may yet have to shell out however, it is not small change to a small company and that is the note-worthy element of this fine.
Doorstep Dispensaree Limited is a London-based SME that provides medicines to customers and care homes. The ICO commenced an investigation after the Medicines and Healthcare Products and Regulatory Agency notified it that Doorstep Dispensaree had insecurely stored documents (which it discovered during its own investigation into the company). The documents numbered approximately 500,000 and contained personal data, including special category data (NHS numbers, medical information and prescriptions). The documents, some of which were water damaged, were stored in 47 unlocked crates, 2 disposal bags and one cardboard box at the back of the company’s premises. They ranged in date from January 2016 to June 2018.
During the process, Doorstep Dispensaree attempted to argue:
a) That a licensed third party waste disposal company was at fault. The ICO disagreed finding Doorstep Dispensaree was the controller determining the purpose and means of processing and the waste disposal company was merely a processor acting on its instructions;
b) The yard in which the documents were kept was locked. Again, the ICO disagreed, as not only was there access to the yard from residential units but the locked yard did not protect against “accidental loss, destruction or damage” as required by Article 5(1)(f);
c) That it employed a company to collect and shred the relevant data. The ICO found that no contract could be sourced between Doorstep Dispensaree and this company and, in any event, whatever shredding policies were in place had not been implemented correctly or at all. The ICO also commented that most of the data protection policies provided by Doorstep Dispensaree were out of date, inadequate or in template form.
The Director of Investigations at the ICO said “[t]he careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect”.
The ICO determined therefore that Articles 5(1)(f) (appropriate technical and organisational measures), 24(1) (responsibility of the controller) and 32 (security of processing) had been contravened by the company as it had failed to implement appropriate organisational measures to ensure the security of the personal data it processes and had processed personal data in an insecure manner. In addition the Penalty Notice outlines that Article 5(1)(e) which provides that personal data be kept in a form which permits identification of data subjects for no longer than necessary was likely to have been infringed (para. 2(a), here). Doorstep Dispensaree was also found to be in contravention of Articles 13 and 14 as its Privacy Notice did not contain all the information required by law.
The decision of the ICO is not surprising given the facts as laid out above. It is a reminder, however, that ALL organisations that process personal data are subject to the same obligations under the GDPR, regardless of their size. In this instance, the company could have avoided this fine (and the accompanying bad publicity) by:
a) ensuring that all personal data (including special category data) it processed was subject to appropriate technical and organisational measures and that those measures included data protection by design and by default; and
b) putting in place, effectively implementing and regularly reviewing a suite of data protection policies.
Obviously, this fine is not necessarily indicative of what the Data Protection Commission might do but it is worth noting and learning from. Some investment in the shorter term of time, resources and money to ensure you have a robust, effective and GDPR compliant data protection regime in place could save you a lot more in the longer term.
If you have queries relating to data protection or how your business can enhance its compliance with the GDPR, speak to our subject-matter experts. We provide end-to-end security solutions that will protect your business from an attack. Contact Us to discuss your unique requirement.