Doorstep Dispensaree receives the first GDPR fine in UK
First published by Matthew on January 07, 2020 in the following categories: Claims GDPR ICO Latest Security and tagged with data breach | data controllers | data leak | gdpr | ico | medical records | personal data
It’s official: the first GDPR fine in the UK has been issued to Doorstep Dispensaree for data protection breaches that spanned across a two-year period.
This one involves medical data, which is some of the most personal and sensitive forms of data that there is. Medical data breach compensation claims account for a large proportion of the legal cases that we take forward because of how common they can be, and because of the impact on victims. The impact is often severe because this is the kind of information that we do not want to be misused or exposed.
The breach period, in this case, is between June 2016 and June 2018, which means that it just falls within the GDPR start period from May 2018. The Information Commissioner’s Office (ICO) was reportedly alerted to the breach by the Medicines and Healthcare Products Regulatory Agency (MHRA) who were conducting unrelated enquiries.
First GDPR fine issued in the UK
London pharmacy company, Doorstep Dispensaree, has officially been issued with the first GDPR fine here in the UK.
It has been fined the sum of £275,000.00 for what the ICO has called “failing to ensure the security of special category data.” The penalty has been issued in light of some 500,000 documents reportedly being left in unlocked containers at the rear of its Edgeware premises. Documents that were being stored insecurely contained personal information for the data subjects, including names, addresses, birth dates, NHS numbers and medical data.
It’s also understood that some of the documents had been damaged from water exposure.
The ICO has considered the contravention from when the GDPR came into effect when it decided the level of the fine to be issued. Director of Investigations at the ICO, Steve Eckersley, said:
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
What about the BA and Marriott fines?
You may recall news about the BA and Marriott fines that have hit the headlines, with penalty figures in the sum of £183m and £99m respectively.
Neither of these is officially the first GDPR fine to be issued as they are, at this stage, notices of an intention to fine. The amounts are provisional and are subject to appeals, which we understand are being made.
In the case of Doorstep Dispensaree, their GDPR fine is being classed as the first official one here in the UK, which we assume to be the final fine in this matter.
Claims: separate to fines
The first GDPR fine is likely to be the first of many as the UK’s data watchdog now has greater powers to issue more substantial penalties for offenders.
But it’s important to understand that the rights for victims are dealt with in a different way. Money from penalties isn’t designed to be used as compensation for the victims, which is where we come in. As specialist data breach lawyers, we represent victims who can be entitled to claim compensation for any distress and/or financial losses caused.
In medical data cases, data breach compensation amounts can be significant given how personal and sensitive this kind of information can be. We recognise this when we represent victims on a No Win, No Fee basis for claims, and you can speak to our team today for free, no-obligation advice about your options.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with a * are required.