Special thanks to Vincent Tennant for his contributions to this post.
The Information Commissioner's Office (ICO), the U.K.'s data regulator, recently announced its first enforcement notice under the GDPR, in the form of a £275,000 fine ($359,071 at time of writing). The fine is against Doorstep Dispensaree Ltd, a pharmaceutical supplier based in London for failure to secure medical data.
The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and immediately spawned litigation throughout the European Union. This fine is the first fine levied by the U.K. data regulator, however.
The GDPR is enforced by each member state through a national Data Protection Authority (DPA). Since the GDPR has taken effect, there has been significant uncertainty about how each DPA would choose to enforce the regulation.
What makes this action interesting is that it was not in the wake of a major incident such as a hack, accidental disclosure, or other major event. Doorstep Dispensaree was reported to the ICO by another regulator who saw confidential documents unguarded and unmarked in boxes in their courtyard, which was accessible by other tenants of the building.
The ICO previously announced notices of its intention to fine Mariott International and British Airways, both involving a major security breach and fines in the low nine figures. Final decisions have yet to be made in either case by the ICO.
We will continue to watch GDPR enforcement as each DPA crafts its own enforcement priorities.