The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.
The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.
The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:
These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.
The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.
There are many important things to note from this first UK GDPR fine:
- While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
- The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
- GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
- Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
- According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.
Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.
If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.
A new survey of employees in the US has found that the vast majority lack GDPR awareness. 84% had never heard of it – even though it applies to companies outside the EU that handle EU citizens’ data – and their lack of understanding about their own data protection laws was also poor.
53% knew nothing of federal or state data protection regulations. On the other hand, in the UK, 83% of respondents knew of data protection measures taken by their company. The same number also knew their responsibilities.
TechRepublic drew the following conclusions:
On one level, a greater understanding of GDPR in the UK than in the US isn’t surprising, as GDPR is a European regulation. However, many companies today operate on a global scale, which means those in the US are still obligated to follow GDPR to protect the data privacy of their European customers.
Training is obviously one critical factor that can help employees better understand and follow data privacy regulations. But this element also uncovered differences between the US and UK. In the US, 46% of respondents said they received ample training from their employers to make sure customer data is protected as dictated by regulations. In the UK, 67% of respondents said they’re received such training.
You can read the full article and breakdown here: https://www.techrepublic.com/article/84-of-us-employees-have-never-heard-of-gdpr/
GDPR awareness has definitely led to better data protection practices already in the UK. 65% of employees stated that they are handling sensitive data differently since the new laws came into force.
Whether the US will follow the European model of data protection remains to be seen, but GDPR certainly seems to have had a positive effect on the way employees regard data.
And with GDPR having a global reach, it’s important that US employees learn their responsibilities quickly.
Uncertain about your own obligations under GDPR? We offer many services that can help you out, including GDPR Consultancy and GDPR Staff Training. Don’t hesitate and put your organisation at risk – get in touch today!
The impact GDPR has already had shouldn’t be ignored. Between May 25th and July 3rd 2018, the ICO already received an immense 6,281 complaints concerning possible data breaches. This is a 160% increase on the same period in 2017, demonstrating how GDPR has raised awareness of how personal data is used and the protection regulations surrounding it – this is an issue that many people have taken to heart. But what about GDPR compliance after Brexit?
The United Kingdom may be leaving the EU on March 29th 2019, but that won’t mean the end of GDPR. Whether a deal is reached or not, the data legislation will still hold for British businesses. The European Union (Withdrawal) Act 2018 ensures that when Brexit comes into effect, GDPR will be incorporated into UK law – so fundamentally, GDPR compliance after Brexit will remain the same.
Anyone hoping to use Brexit to evade the ramifications of GDPR will be sorely disappointed. There will likely be some small changes to make GDPR fit the UK’s individual needs, leading to separate “UK” and “EU” versions of GDPR, but the framework will probably remain the same.
What does this mean for UK firms? Ultimately, GDPR compliance should still be a major focus. Once the UK leaves the EU, there will be little change to data protection regulation, meaning that the same measures need to be taken both pre- and post-Brexit. While the exact details remain to be seen, it is likely that data breaches will be treated in a similar manner, with near-identical penalties for data breaches.
There is an additional factor, however. With the UK no longer a member state, it’s uncertain whether data will continue to flow freely into and out of the EU. It’s important to keep an eye on how this issue develops; it will depend on the eventual deal between the UK and EU. It seems likely that a solution will be found, but companies should put safeguards in place for either eventuality.
Fundamentally, GDPR is here to stay. Brexit won’t change that, and with greater media attention on data protection, it’s at the forefront of everyone’s minds. The penalties for non-compliance are severe, and not to be risked.
For our help in ensuring GDPR compliance after Brexit and before, contact us today for our Gap Analysis and consulting. We also offer Data Protection Staff Training to improve the data protection knowledge and confidence of your employees.
The first GDPR notice in the United Kingdom has been issued to AggregateIQ Data Services. The Canadian firm was linked to the Facebook-Cambridge Analytica Scandal earlier this year, providing tools involved used in data analytics for political campaigns. Having caught the attention of the Information Commissioner’s Office, it has now run into trouble for failing to comply with GDPR.
The ICO has served this notice in connection to EU citizen data being held by AIQ. Because the data involved – including names and email addresses – is being stored for political purposes and without the users’ consents, there is no lawful basis for AIQ to process it.
Take a look at the full story about the UK’s first GDPR notice here: https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/
There are several important things to note about this, illustrating the dangers of not being fully aware of GDPR and its implications…
- AIQ may be based outside of the UK, but this doesn’t protect it. This is because, in the words of the ICO, “AIQ’s processing of personal data is said to relate to monitoring of data subjects’ behaviour taking place within the European Union”.
- For its role in the Cambridge Analytica scandal in March, Facebook was fined £500,000 under the terms of the Data Protection Act 1998. However, the notice issued to AIQ still comes under GDPR, even though the data it is processing relates to the same scandal. This is because AIQ didn’t tell the ICO it still held EU citizen data until May, when GDPR came into effect.
- The issue for AIQ is that there’s no legal basis for them to hold this data. The ICO states: “The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.”
- While the GDPR notice has only recently come to the attention of the public, it was originally issued in July. The ICO demanded that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
- AIQ had only thirty days to comply with this demand. Considering that the Cambridge Analytica scandal hit 87 million users, and that the firm provides software and tools for managing data for political purposes, this is a huge job to perform in such a short space of time.
It should be noted that AIQ has the right to appeal – and is exercising that right. However, if its appeal is rejected, it will face fines of up to €2 million or 4% of its annual global turnover, whichever is higher – and that is per data breach…
For our help and support with your own GDPR awareness and compliance programme, use the Contact Form on the right to get in touch today.
When the UK leaves the EU, many things will change. The new regulations of GDPR after Brexit will still significantly affect the UK in major ways. Read this article for further important information on GDPR after Brexit: http://realbusiness.co.uk/law/2017/05/24/brexit-doesnt-mean-end-gdpr-compliance-uk-businesses/).
GDPR regulations come into place May 2018, before the UK leaves the EU. Therefore, for at least the remaining time the UK is part of the EU, GDPR will affect UK organisations. But once Brexit comes into place and the UK leaves the EU, how will GDPR compliance be affected?
Once the UK leaves the EU it becomes a “third Country”. This is essentially a country that resides outside the EU. Countries such as the USA, Australia, and New Zealand are all Third Countries, for example. Third Countries have different data protection laws than the EU, but many organisations in those countries will still be affected.
GDPR should not be thought of as a law for EU companies, but a law for EU citizens. Hence, any organisation, whether part of the EU or not, must comply with GDPR for any EU citizens they hold Personally Identifiable Information (PII) on.
So, an American based company must comply with GDPR regulations if they have personal data on any citizens from the EU. This is not likely to affect smaller companies in Third Countries massively, but large organisations with branches all over the world will be hugely affected.
This includes the UK. As a Third Country, all UK organisations that hold data on EU citizens will have to comply to GDPR – this is likely to affect UK organisations more because of the prior involvement with the EU and you would expect the likelihood that UK organisations hold data on EU citizens to be higher than other Third Countries.
Though, it is entirely possible that once GDPR becomes national law in the UK, the government will retain those laws post-Brexit.
The UK government’s Data Protection Bill has already essentially confirmed that GDPR (or regulations that are similar to GDPR) will remain in force. In fact, the laws here may even be stricter than the current GDPR laws.
The UK has begun negotiations to make a pact with the EU to continue free transfer of data post-Brexit (see this article). The intention made by the UK Data Protection Bill then seems like a signal to the EU to ensure the UK continues to be a safe place for EU citizens’ data.
If the UK has the same or similar data protection regulations as the remainder of the EU, it is more likely that the EU will accept this pact and data will continue to flow freely.
Another important element of GDPR post-Brexit is the potential need for Data Protection Officers (DPO). If a business is deemed to need a DPO under GDPR they will need to have a nominated representative to complete DPO duties. This representative needs to be based with the EU ie not in the UK, which is fine for multinationals. However, this will be troublesome for UK businesses that have even just a few EU citizens as custmers.
GDPR after Brexit will still be an important regulation for UK based organisations, with the UK government even taking the regulations as a template for their own adaption of the laws, but there will be many complications and issues…