The Information Commissioner’s Office (“the ICO”) in the UK has recently issued fines to two separate businesses for breaches of data protection obligations. The fines are of particular interest against the backdrop where we are yet to see the Irish Data Protection Commissioner issue any fine under the General Data Protection Regulation, though she is currently undertaking a number of investigations in respect of data breaches in Irish businesses.
Doorstep Dispensaree Ltd
Doorstep Dispensaree Ltd was fined £275,000 by the ICO in December 2019. The business supplies medicines to customers and care homes and is located in Edgeware, London. The business had left approximately 500,000 documents in unlocked containers at the back of its premises. The documents contained personal data including names, addresses, medical information and prescriptions.
This was the first instance of the ICO issuing a fine under its power to do so under the General Data Protection Regulation which came into effect on 25 May 2018. In issuing a release in relation to the fine, the ICO noted that some of the documents had not been appropriately protected against the elements and were water damaged. This constituted a breach of the business’s obligations to maintain appropriate security measures in relation to the personal data involved.
DSG Retail Ltd
In January of this year, the ICO fined DSG Retail Ltd (“DSG”) £500,000 following on from a breach of DSG’s point of sale computer system. The breach affected at least 14 million people and facilitated unauthorised access to 5.6 million payment cards. The ICO investigation established that malware had been installed on over 5,000 tills at DSG’s Currys, PC World and Dixons Travel stores. This had occurred between July 2017 and April 2018, a nine-month period within which the personal data was accessed by hackers.
Given the timing of the issues involved the matter fell to be dealt under pre-GDPR laws, namely the UK’s Data Protection Act, 1998. The breaches of the relevant legislation found by the ICO unsurprisingly concerned poor security arrangements and failure to take adequate steps to protect personal data. These failures manifested themselves in inadequate software patching, absence of a local firewall, a lack of network segregation and a lack of routine security testing.
The ICO imposed the maximum available fine under the UK’s Data Protection Act, 1998, namely £500,000. In imposing the maximum fine, the ICO pointed out that in January 2018 the ICO fined Carphone Warehouse, a member of the same corporate group, £400,000 for similar security vulnerabilities. The fines that can be imposed for breaches of GDPR significantly exceed those which could be imposed under preceding legislation and run as high as 4% of global turnover or €20 million whichever is the greater.
The Irish Data Protection Commission
The Irish Data Protection Commission is currently undertaking over 70 separate investigations into suspected data breaches. A significant proportion of those investigations are in relation to large multinational tech companies such as Google and Facebook. A fine has yet to be issued in this jurisdiction, though it can only be a matter of time before we see that occurring.
Whilst the fine of £275,000 handed out to Doorstep Dispensaree Ltd in the UK does not immediately set alarm bells ringing, it must be set in context. This was a security failing on the part of a single, stand alone business. There was no information technology element to it so, to some degree, the breach was relatively contained. Furthermore, the ICO has filed two notices of intent to levy fines worth £99 million (Marriott Hotels) and £183 million (British Airways). This signals a very real intent on the part of the ICO to impose significant fines. It remains to be seen whether the Irish Data Protection Commission will follow suit.
For information on implementing policies and procedures to manage data protection risks or for any other data protection queries, please contact Laura Fannin firstname.lastname@example.org or Matthew Austin email@example.com
- Update: Compensation Claims Under The GDPR
- Data Protection Commission Publishes its First Post-GDPR Annual Report
- Data Protection Commission publishes guidance note on breach notification requirements
- European Union’s highest court clarifies the law on using pre-ticked boxes to collect cookie consent
Share this article:
About the Author
Matthew is a partner in the Commercial & Business team at Hayes solicitors. Matthew advises clients in relation to all forms of commercial dispute resolution and provides general commercial advice. Matthew also advises clients on general commercial matters including; contract law, intellectual property/ copyright, media law, and general commercial agreements.