Doorstep Dispensaree, the company that had the dubious honour of being the first to be slapped with GDPR fine in the UK, has learned the hard way that sometimes, just sometimes it is better to let it lie.
The Information Commissioner’s Office issued the business with a £275,000 penalty in December 2019 for failing to store “special category data” securely.
At the time, the ICO ruled the firm – which supplies medicines to customers and care homes – left nearly 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
It originally served the firm with a notice of intent for a £400,000 penalty but this was reduced following “representations” made to the regulator.
However, Doorstep Dispensaree still felt hard done by and launched a partially successful appeal at the Upper Tribunal, with Judge Moira Macmillan taking “a number of issues” into consideration, including the financial hardship suffered by the company. She concluded that the fine be reduced to £92,000.
But the firm still was aggrieved so it launched a third appeal in an attempt to throw out the fine all together.
Sadly for Doorstep Dispensaree, however, it was a case of three strikes and you are out with an Upper Tribunal judge rejecting the firm’s arguments and ruling there was no fault in the ICO’s legal reasoning. The judge also rejected an attempt to have the penalty classified as a criminal charge.
Whether Doorstep Dispensaree will try a fourth time is not known but one thing is certain, for a company which claimed to be suffering hardship, it does not seem to have any trouble totting up a large legal bill.
First UK firm hit under GDPR has fine cut by nearly 70%
ICO issues first GDPR fine, but it’s not BA or Marriott
GDPR penalties near €4bn in EU after ‘double busy’ H1
Revealed: Data breaches which will get the ICO calling
GDPR five years on: ‘Firms just don’t fear enforcement’
GDPR five years on: The death knell for lazy marketing?