ICO hands out first GDPR fine as BA, Marriott cases linger

By Kyle Brasseur2019-12-23T21:08:00+00:00

No comments

The U.K. Information Commissioner’s Office (ICO) on Friday announced a £275,000 (U.S. $356,000) fine levied against London-based pharmacy Doorstep Dispensaree for violations of the EU’s General Data Protection Regulation.

The fine is the first the ICO has handed out under the GDPR, despite making headlines earlier this year with record-setting penalties against British Airways and Marriott. Both companies were issued notices of intention in July regarding their respective fines; the ICO has until six months from the date the notices were submitted to issue a final penalty notice, which can be appealed.

During the six-month period, British Airways and Marriott were each given 21-day windows to make representations to the ICO to fight their respective penalties. An ICO spokesperson recently told Compliance Week both cases are still ongoing.

In the case of Doorstep Dispensaree, the ICO cites failing to ensure the security of special category data as reason for the fine. The ICO said the pharmacy “left approximately 500,000 documents in unlocked containers at the back of its premises” and that the documents included names, addresses, dates of birth, National Health Service (NHS) numbers, medical information, and prescriptions belonging to an unknown number of people.

Further, the documents, dated between June 2016 and June 2018, were exposed to the elements the way they were stored and subsequently water damaged. Failing to process data in a way that ensures protection against such damages is a violation of the GDPR.

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss,” Steve Eckersley, director of investigations at the ICO, said in a news release. “This falls short of what the law expects and it falls short of what people expect.”

Despite the two years the documents were allegedly stored improperly, the ICO said it only considered wrongdoing from May 25, 2018, on—the day the GDPR took effect. The ICO was alerted to the violations by the Medicines and Healthcare Products Regulatory Agency, which was carrying out a separate probe into Doorstep Dispensaree.

The ICO has ordered the pharmacy to improve its data protection practices within three months and said failure to do so could result in further enforcement action.

Websites

We are not responsible for the content of external sites

Kyle BrasseurKyle Brasseur is Editor in Chief of Compliance Week. His background includes expertise in user personalization with ESPN.com.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Article
British Airways banking on drastic reduction of record GDPR fine

2020-08-03T21:04:00Z By Neil Hodge

British Airways has hinted that it will qualify for a nearly 90 percent reduction of its original GDPR fine (U.S. $230 million) and end up paying just $26 million.
Article
Coronavirus could further stall BA, Marriott GDPR fines

2020-04-20T19:01:00Z By Jaclyn Jaeger

Record-setting proposed penalties announced by the U.K. Information Commissioner’s Office last year against British Airways and Marriott for violations of the GDPR may continue to linger amid the ongoing coronavirus pandemic.
Article
Latest Marriott breach exposes 5.2M guests

2020-03-31T19:51:00Z By Aaron Nicodemus

Marriott International says a breach may have compromised the personal data of 5.2 million customers, the second significant data breach for the hotel chain since 2018.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from GDPR

Article
Four years of GDPR: New tech testing data privacy law’s longevity?

2022-05-25T15:52:00Z By Neil Hodge

It has been four years since the European Union’s flagship data privacy legislation came into force, but concerns are already being raised about whether the General Data Protection Regulation is being outpaced by technological developments and their use of data.
Article
Dissatisfaction with GDPR pushing EU countries toward local laws

2021-12-21T15:18:00Z By Neil Hodge

So far, Europe’s wide-reaching data privacy rules have seemingly failed to curb Big Tech firms’ use and abuse of citizens’ personal data. As a result, some EU data regulators are pursuing their own investigations—often through other legislation.
Article
CWE panel: GDPR ‘the start of a culture of data protection’

2021-11-15T21:50:00Z By Neil Hodge

Belgian Data Protection Authority head David Stevens and Member of European Parliament Axel Voss discussed ways the General Data Protection Regulation could be improved for the future during a keynote at CW’s virtual Europe event.