Stark warning to businesses after £275,000 fine for breach of GDPR

5th February 2020

A London Pharmacy has just been fined £275,000 for its failure to ensure the security of special category data under the General Data Protection Regulation (GDPR).

GDPR is a data protection regulation set by the EU to help give more control to individuals over their personal data. The Regulations came into effect on 25th May 2018 to ensure the security of data held by individuals and most of us will be aware of it, remember all the emails asking you to confirm you were happy for your details to be stored? That was as a result of the GDPR regulations. All businesses must abide by these regulations and if there is even a slight breach it must be reported to the Information Commissioner.

You have the following rights under the GDPR:

  • A right to be informed about how we process your data
  • A right of access – you are entitled to find out what information we hold about you and why – see below
  • A right to rectification so that we must correct or update your details
  • A right to erasure – see below
  • A right to restrict processing
  • A right to data portability enabling you to obtain and re-use the personal data you have given to us
  • A right to object to us processing your data for marketing or profiling purposes
  • Rights concerning automated decision making and profiling

It is worth noting the issuing of this first fine by the Information Commissioner’s Office and the failures of the pharmacy. The full Notice is available here which details the reason behind the decision and the fine amount. To summarise around 500,000 documents, including details of names, addresses, dates of birth, NHS numbers, medical information, and prescriptions were left out in unlocked containers; some had considerable water damage which suggested they had been there some while. In addition to the severe breach it was also noted it was not them who reported to the ICO, something by law you must do if there is, or believed to be a breach in GDPR, within 72 hours.

As a law firm confidentiality and security of data is something that always is ingrained within the firm, we hold very sensitive information due to the type of work we do and have followed guidelines in the past specifically for law firms and so these regulations did not change much for us with the introduction of GDPR. However, we believe this case to be a stark warning to businesses who do not take their data collection and storage so easily.Be assured that at Gilbert Stephens we will only collect information from you that is relevant to the matter that we are dealing with. We will ensure that all the information you provide us with is kept secure using appropriate technical and organisational measures and not retain it for any longer than is necessary. You can read our full Privacy Notice here