First GDPR fine issued for data breach

Failure to comply with the GDPR

The Information Commissioner’s Office (ICO) has issued its first-ever fine for a failure to comply with the General Data Protection Regulation (GDPR). Despite having wide powers to issue fines for data breaches, the ICO has until now only issued recommendations and requirements on those in breach of the GDPR data protection requirements.

The £275,000 fine was issued against Doorstep Dispensary, a pharmaceutical company based in London. The company supplies drugs to care homes nationwide and was investigated by the ICO for its significant data breach when it left over 500,000 documents containing the personal data of patients in unlocked containers outside its premises. The information included in the documents included patients’ identities, addresses, dates of birth and NHS numbers as well as their general medical information and prescription details.

Personal data processing

This was an example of a significant and serious large scale data breach, and Doorstep Dispensaree failed in its obligation under the regulation to keep individuals’ personal data private. The GDPR requires that personal data is processed with appropriate security, which includes protection against its unauthorised and unlawful processing, against accidental loss, destruction or damage. It also requires that appropriate technical and organisational measures are used to ensure compliance.

Do you want to know more about the GDPR? Take a look at our GDPR Brochure.

The ICO noted that Doorstep Dispensaree had failed in its duty in two ways; it had not implemented measures to guard against unauthorised access by leaving the personal data outside insecurely and enabling anybody to have access to it. It also failed to prevent the accidental destruction of the documents by leaving them unprotected outside where they became water damaged.

Whilst the ICO has confirmed it intends to fine both Marriott International and British Airways for their breaches of GDPR during 2019, this is the first fine which has been finalised by the ICO. It demonstrates the high cost of the penalties the ICO can issue for GDPR breaches and stresses the importance of ensuring that adequate measures are in place for data security and compliance at all times.

If you have any concerns regarding your compliance with GDPR or need advice on what to do on the occurrence of a breach within your organisation, please contact us. Our expert data protection lawyers can offer tailored advice and crisis management services to help you to deal with your situation as efficiently as possible to minimise the risk of your organisation being fined or sanctioned by the ICO.

Do you need help with the GDPR? Contact our Technology team now.