Happy New Year and health and happiness to all.
The first financial penalty has arrived!
As you have no doubt been enjoying the festive period and recharging your batteries, you’ll be forgiven for missing the first actual financial penalty under the applied General Data Protection Regulations (GDPR), implemented under the Data Protection Act 2018 (DPA 2018).
It may surprise you that the first penalty (publicised on the 20th December 2019) isn’t BA or Marriott, which still appear to be in negotiation, but one for a pharmacy company called Doorstep Dispensaree Ltd.
The £275,000 penalty, been levied not due to a Cyber breach exposing records; instead the breach was notified to the ICO by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.
Not all breaches are breaches of confidentiality
The breach was due to approximately 500,000 records (many containing special category data) found sitting in unlocked containers and soggy cardboard boxes in a locked yard.
Whilst this may well surprise you, we need to remember that personal (and special category data) is not just digital, the legal definition looks at the contents and not the delivery mechanism. This is the reason why I prefer to use the term information rather than data.
So, we need to look beyond technical systems and to all personal and special category information when we look at these matters.
The water damaged records are of interest in this regard, as a breach can be when the personal information cannot be used for its intended purpose (i.e. Integrity).
Governance is important
During the investigation from the ICO, a number of examples of governance deficiencies were found that contributed to the judgement:
- The locked yard was used for a justification of good security, even though a fire escape from residential flats gave access to the yard.
- Dispensaree tried to blame the company they used for disposal, yet they were still the controller and therefore liable – you cannot outsource responsibility
- The reasons for processing the records found were not defined, which is a basic item from the GDPR 12 steps guidance from the ICO
- Template documents, not records, were provided as evidence – the templates hadn’t been modified for use within Dispenaree
- No retention policy was defined for the information being stored
- Dispensaree hadn’t responded to the ICO when requested
The GDPR isn’t the only obligation to be aware of
Note that the investigation was instigated by the regulator responsible for medicines and healthcare products. Personal information doesn’t exist in isolation, indeed the equity of law in the United Kingdom requires that unless one legal obligation expressly excludes the requirements of another then they must be taken as operating together.
Lessons to be learned
The following should be learned from this:
- Understand where the personal information you process is processed, and what other obligations apply to the same data
- Assess the risks to all forms of personal information
- Understand how you comply with the 12 steps guidance from the ICO
- Document any deficiencies with the 12 steps guidance and how you plan to address them
- Document how you comply with the NCSC GDPR security outcomes
- Document any deficiencies with the GDPR security outcomes and how you plan to address them
- Work with the ICO (or indeed any regulator) when they request it
Conclusion
There has been a great deal of work within organisations prior to the 25 May 2018, but the recent commentary from some about the lack of fines is missing the point in my humble opinion. GDPR isn’t a single Cyber-related activity, but one of continual information governance which needs to benchmark against current obligations and which improvement activities are planned.
Anyone who is only looking at personal data as part of the applied GDPR and DPA 2018 is likely to have missed the opportunity to deliver the effective information governance required from the other obligations which likely apply to it.
If fines are all we have to influence governance behaviours, rather than the benefits of effective information governance, then this will be a long decade with little change.