Forget BA and Marriott (their intended fines have not yet emerged) – the first fine (of £275,000) under the General Data Protection Regulation (GDPR) issued by the Information Commissioner's Office (ICO) is against the much smaller Doorstep Dispensaree Ltd.
The London-based pharmacy has been given the penalty for multiple infringements of GDPR, which came to light after the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry, alerted the ICO. It was found that approximately 500,000 documents had been left in unlocked containers at the back of the company's premises. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The ICO has held that this gave rise to infringements of Articles 5(1)(f), 5(1)(e), 24(1) and 32(1 and 2) (cumulatively, these amount to infringements of GDPR's security and data retention obligations). Separately, the investigation led the ICO to find that the company's privacy notices, under Articles 13 and 14 of GDPR, were defective, as were its internal policies.
Ultimately, according to the ICO, this was "extremely poor data protection practice, amounting to significantly negligent conduct" and the infringements were "extremely serious". In arriving at the figure of £275,000, the ICO (as it is required to do) took into account a number of factors, including the company's financial situation. The company's level of co-operation with the ICO's investigation was also described as "poor", and it attempted to argue that responsibility lay with the waste disposal company it had engaged. However, the ICO pointed out that the latter was merely a processor under GDPR, and primary responsibility lay with Doorstep Dispensaree itself, as controller.
A final noteworthy point – no discount is being offered for early payment of the fine. Under the law prior to GDPR, the ICO would habitually offer a 20% discount if the fine were paid within 28 days. It is not immediately clear why this option has disappeared under GDPR.
All organisations should read the penalty notice carefully – it will contain much to guide them on what bad practice looks like, and how it might result in a hefty fine.