Employment Law Solutions. Expert advice... more personal

ICO issues first fine under GDPR

Senior Associate Solicitor, Jane Sinnamon

The Information Commissioner’s Office (“ICO”) has issued its first fine based on its powers under the General Data Protection Regulation (“GDPR”). The ICO fined Doorstep Dispensaree Ltd, a London based pharmacy, £275,000 for failing to ensure the secure storage of special category data.

How did the pharmacy breach data protection laws?

The ICO received a notification from the Medicines and Healthcare products Regulatory Agency (“MHRA”) that it was investigating the pharmacy and that during this investigation it had found 47 unlocked crates, 2 disposal bags and 1 box which contained documents with personal data. MHRA estimated that there were around 500,000 documents which contained information including, names, addresses, date of birth, NHS numbers, medical information and prescriptions. As this information was particularly sensitive and related to the data subjects’ health, it was classed as special category data.

The documents were dated from January 2016 to June 2018 and many were soaking wet, which suggested that they had been stored for some time that way. Failing to process data in a way which ensures security against unlawful processing and accidental loss, destruction or damage constitutes a breach of GDPR.

How does the ICO calculate its penalty fines?

When considering whether to impose an administrative fine, the ICO must consider various factors, including the nature, gravity and duration of the infringement; the categories of personal data affected; the nature, scope and purpose of processing the data and the number of data subjects affected, and the level of damage suffered by them.

The ICO will also look at whether the controller/processor intended the infringement; the degree of their responsibility for it and whether they notified the ICO of the infringement.

Following the infringement, the ICO will look at any action taken by the controller/processor to mitigate the damage suffered by the data subjects, how cooperative they are with the ICO and whether the controller/processor either benefited financially or avoided losses as a result.

How much can the ICO fine a controller in breach of data protection laws?

Previously, under the Data Protection Act 1998, the maximum fine that the ICO could impose was £500,000, however under the GDPR this has been increased to €20m or 4% of the undertaking’s worldwide turnover in the previous financial year.

What does this mean for you?

Although the GDPR came into effect in England and Wales on 25th May 2018, it has taken the ICO until late 2019 to impose its first fine under powers granted by the GDPR. It is possible that this was a grace period which was designed to allow businesses to update their policies and procedures and deliver training to employees to ensure that their practices are GDPR-compliant.

This action may mark the end of this period and businesses should confirm that they have done what they need to in order to ensure that they are complying with their obligations under data protection legislation so as to avoid financial penalties imposed by the ICO.

This week’s author

Jane is a specialist employment lawyer recommended by the Legal 500 for her expertise and has been with the firm since its inception in 2010. Find out more about Jane here!

This entry was posted in Law. Bookmark the permalink.

Comments are closed.