The UK have Issued their first GDPR Fine-Will Ireland Follow Suit?
2020 will see the interpretation of data protection requirements that were set out by the GDPR reviewed for enforcement and adherence.
On 20th December 2019, the UK’s independent regulator for data protection and information rights law, the Information Commissioner’s Office (ICO) issued its first fine under the GDPR. The fine was incurred by Doorstep Dispensaree, a pharmacy based in London. The amount of the fine was €320,000 (£275,000) making them the first organisation in the UK to be penalised for breaching its obligations under the GDPR.
Reasons for the Fine
Doorstep Dispensaree pharmacy violated the GDPR’s integrity and confidentiality principle, which states that personal data must be:
“processed in a manner that ensures appropriate security […], including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Doorstep Dispensaree supply medicines to thousands of care homes.
They left approximately 500,000 documents containing personal data in unlocked containers in the back of its premises.
The documents, dating from June 2016 to June 2018, included patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions.
- Failed to implement measures to guard against unauthorised access, instead leaving the personal data in an unlocked box that anyone could view;
- Failed to protect against accidental destruction, with the Information Commissioner’s Office (ICO) noting that the boxes were exposed to the elements and had become water damaged.
Steve Eckersley, Director of Investigations at the Information Commissioner’s Office (ICO) said:
“The careless way Doorstep Dispensaree stored special category data, failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect.”
How to Avoid This
Knowledge is Power
• Educating your employees in the dos and don’ts of data protection has proven to be one of the most effective measures in preventing data breaches;
• The way data is handled and processed needs to be constantly audited to make sure best practices are being followed by employees, and that sensitive information is secure.
IT Security Vulnerability Assessment
• Test the strength of your business’s security;
• Update Security Software regularly;
• It’s highly advised to hire a professional IT consultant to carry out this assessment.
• Make sure your employees know how to set a strong password, 8 characters (minimum – 15 is better) with a mixture of upper and lower case letters, symbols and numbers.
• Encrypted data can be stored and transmitted with a high level of security and confidentiality.
Ireland is among eight countries (Croatia, Estonia, Finland, Luxembourg, Switzerland, Slovakia, Slovenia) that has yet to levy fines for GDPR breaches.
According to financial consultancy firm Mazars “no organisation is exempt from the reach of the supervisory authorities-even private citizens are being subjected to fines for noncompliance. Issues around the processing of personal data have to date been the most prevalent but given the regulations are only just over a year old, this pattern may change as organisations become more familiar with their responsibilities”.
As of the 24th May 2019 the Data Protection Commission has received 5,818 data breaches since the GDPR came into effect.
Will this lead to fines becoming a reality for organisations in Ireland in 2020?
To see what your business needs to do to ensure it does not happen to you, contact us today or click below to view compliance solutions available to you.