Steve Eckersley, ICO director of investigations, said: 'The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.’
The administrative fine was imposed under S.155 of the Data Protection Act 2018, which implements the GDPR. In setting the fine, the ICO considered the contravention only from 25 May 2018, when the GDPR came into effect.
Commenting on the penalty, Jon Baines, data protection specialist at London firm Mishcon de Reya, said: 'All organisations should read the penalty notice carefully – it will contain much to guide them on what bad practice looks like, and how it might result in a hefty fine.'
