Small business given first GDPR fine
Major breach. The Information Commissioner’s Office (ICO) has issued the first monetary penalty for breaches of the GDPR to Doorstep Dispensaree Ltd (D), a small company with a sole director, which supplies pharmaceutical medicines to customers and care homes. The ICO investigated D after it was informed that health-related personal data was being stored in unlocked containers at the back of D’s premises.
Data storage. The ICO subsequently found 500,000 insecure documents that contained personal data. Under the GDPR , all personal data must be held securely - it should certainly not be abandoned outside the data controller’s premises. As you might expect, the ICO was highly critical of D’s disregard of the GDPR and issued a fine of £275,000.
Key information. The ICO also criticised D’s privacy notice as it did not contain all of the information required under the GDPR . In particular, it:
- did not state that D is a data controller
- gave no contact details
- did not state the legal basis for processing the personal data it had collected
- did not state the retention period for the personal data it held; and
- did not inform data subjects of their rights of access, erasure, rectification and restriction. These privacy notice defects contributed to the size of the fine imposed and D was given three months to rectify them.
Tip. It’s easy to trip up over privacy notices. We can’t provide a one-size-fits all document that works for every business, but you can use our privacy notice as your starting point and then draft your own for clients and customers in conjunction with the ICO’s online guidance (see The next step ).
For a template privacy notice and the ICO’s guidance on how to draft a GDPR compliant privacy notice, visit http://tipsandadvice-business.co.uk/download (CD 21.09.01).
Create your profile to unlock this advice and many more.