First Fine Under UK GDPR Reduced Significantly On Appeal

Background

A pharmacy known as Doorstep Dispensaree Ltd left around 500,000 documents containing personal information in unlocked containers at one of its premises. The Medicines and Healthcare Products Regulatory Agency reported this to the Information Commissioner’s Office (ICO).

The ICO concluded that the pharmacy had failed to process the data in a way that would ensure appropriate security in contravention of GDPR. The ICO fined the company £275,000 and issued an enforcement notice requiring them to improve their data protection practices within three months of the notice.

The pharmacy appealed its fine to the first-tier tribunal. Within the appeal, the pharmacy argued that actually fewer than 75,000 documents had been involved and only some of these contained personal data and even fewer contained special category data.

Appeal

The tribunal concluded that far fewer individuals had been affected by the breach than the ICO had reported. In actuality, only 73,719 documents were seized and only 53,871 of those documents contained special category data.

The original fine of £275,000 was based on a breach affecting around 500,000 individuals. The actual number of people affected was much less and the tribunal, therefore, found that the fine should be cut to £92,000.

The tribunal did however uphold the enforcement notice and commented that this was proportionate and reasonable and should be complied with on the basis that Doorstep Dispensaree Ltd’s data protection policies did not comply with the legislative requirements.

Comment

This case acts as a helpful reminder that all organisations need to ensure that any personal data is held securely in line with the UK GDPR and Data Protection Act 2018. Most pertinently, it reinforces that any fines for a breach are to be quantified based upon the severity of the breach and the number of individuals affected.