“Careless” storage of customer data results in the UK’s first fine under GDPR

Doorstep Dispensaree Ltd, a distributor of pharmaceutical and medicinal products to care homes was hit with a £275,000 fine by The Information Commissioner's Office (the “ICO”) in the UK. The ICO is the UK’S equivalent to the Data Protection Commission in Ireland. The penalty notice was issued against the company as data controller on the 17 December 2019 under the General Data Protection Regulation 2016 (the “GDPR”) and is the first fine issued by the ICO under the GDPR.

The ICO was notified of the data breach via a separate investigation conducted by the UK medical authority. That investigation revealed that some 500,000 documents containing personal data such as names, addresses, medical information and prescriptions were being stored in unsecured containers in an open courtyard. The company also failed to implement and distribute a proper privacy notice which included the following information:

• they were a data controller;
• their legal basis for processing customers’ personal data;
• the categories of data involved; and
• informing customers of their rights under the GDPR as data subjects.

The ICO commented that this was an “extremely serious” breach and based its decision on the company’s lack of data security measures and failure to comply with its transparency requirements under GDPR. This costly breach arose from the negligent and careless record keeping of the data controller and could have been avoided had the company taken appreciate measures to comply with its obligations under GDPR.