First GDPR Fine Hits UK Pharmacy

First GDPR Fine Hits UK Pharmacy

First GDPR Fine Hits UK Pharmacy. Medicines and Healthcare products Regulatory Agency (MHRA) had been investigating and urging the organisation to acknowledge their mandatory obligation to comply with GDPR and other best practices.

GDPR Milestone: UK Pharmacy Slapped with Historic Fine – What Every Business Must Learn:

On December 17, 2019, the UK Information Commissioner’s Office (ICO) fined a London-based pharmacy £275,000. The fine was for breaching GDPR. The pharmacy failed to securely store sensitive patient information. They must pay the fine by January 17, 2019. The initial GDPR fine in England sparks renewed enthusiasm to make individuals reconsider data protection views, affecting prospects and clients. Observers of this field anticipated such an outcome, considering the limited enforcement observed since May 25, 2018. Yet, the breach’s tale highlights neglect, emphasising GDPR’s broad impact and how diverse businesses can unknowingly breach regulations.

Background On The Pharmacy:

Based in Edgware, North London, Doorstep Dispensaree is a registered pharmacy delivering prescriptions to residents through a home courier service.This service offers significant convenience, particularly for elderly or disabled patients who face challenges in traveling to their local pharmacy. The company has garnered numerous positive reviews from patients and local inhabitants, attesting to the quality of care provided.

It’s crucial to clarify that the breach at hand does not reflect on the standard and excellence of patient care. Instead, it highlights the inadequacies in data protection and GDPR compliance within the industry. Whether stemming from negligence or a lack of awareness among those involved, the resulting impact remains consistent. Therefore, the question arises: How did Doorstep Dispensary find itself in breach of GDPR?

How the First GDPR Fine Hit The UK:

According to ICO reports, approximately 500,000 documents containing sensitive information about care home patients, including their names, addresses, dates of birth, NHS numbers, medical details, and prescriptions, were found unsecured. These documents were discovered within 47 crates, two disposal bags, and one cardboard box, all left unlocked at the rear of the premises. These documents, spanning from January 2016 to June 2018, lacked proper security measures and were not labeled as confidential waste, as indicated in the ICO’s enforcement notice.

The ICO determined that this incident clearly constituted a failure to adequately safeguard special categories of highly sensitive personal data. As a consequence, a fine of £275,000 was imposed. Additionally, several recommendations were provided to encourage the organisation to take a proactive stance toward data protection and GDPR compliance.

An official statement was released by the regulator

“Doorstep Dispensaree’s data protection policies had not been updated since April 2015. Therefore not compliant with GDPR requirements. The ICO has ordered Doorstep Dispensaree to improve its data protection practices within three months or face further penalty notices. These could see the pharmacy pay up to 4% of its annual turnover in fines”

Information Commissioner’s Office

In my view, this instance once again underscores the ease with which one can unintentionally violate the law. Numerous companies hold the belief that taking proactive measures to achieve GDPR compliance is unnecessary, especially when such actions involve costs and cultural adjustments. However, the truth remains that the volume of such cases will likely rise, accompanied by more substantial fines, thereby spotlighting instances of lax data protection practices.

For those enterprises that are approaching GDPR with a proactive mindset, I offer my congratulations. This approach is indeed commendable. Furthermore, there are numerous affordable and effective solutions available to assist in achieving and maintaining compliance with GDPR regulations.

For more info contact us to schedule a data protection audit: