Closing the door on the third appeal against the ICO’s first UK GDPR fine
Amarveer Randhawa and Katie Hewson of Stephenson Harwood LLP analyses the failed appeal case of Doorstep Dispensaree, and lessons learned.
On 17 December 2019, Doorstep Dispensaree Ltd (DDL), a company that operated several pharmacies, was issued with the first GDPR monetary penalty notice (MPN) from the Information Commissioner’s Office, primarily for inappropriately storing special category data. DDL contested the fine and managed to reduce it to £92,000. However, it failed on its third attempt to convince the Upper Tier Tribunal (Tribunal) to overturn the fine completely. In particular, DDL was unsuccessful in proving that a criminal standard of proof (as opposed to a civil standard) was applicable.
Aside from establishing the applicable standard of proof, the appeal raised six other key issues. This article will explore the seven arguments raised in the appeal and discuss the broader lessons for organisations to consider when handling personal data.
UK Report subscribers, please login to access the full article
If you wish to subscribe, please see our subscription information.