back to article Say GDP-aaaR: UK's Information Commissioner pours £275k fine into London pharmacy's teaspoon

A pharmacy that left around half a million documents, including customers' personal information and medical data, in unlocked storage at the back of its premises, has been fined £275,000 - a financial penalty the ICO has issued under the General Data Protection Regulation. UK data watchdog, the Information Commissioner’s …

  1. Halfmad

    Unknown number of people?

    Nonsense, nobody, ICO included bothered to check.

    Just shows how seriously they take it, if they don't know - they can't inform those involved. That's a failing both by the company and the ICO.

    1. Gordon 10


      Some of the documents – dated between June 2016 to June 2018 – were exposed to the elements and as a result were damaged by rain water, the ICO claimed.

      1. Halfmad

        Re: RTFM

        I did read it - exposed to rain, doesn't mean they aren't readable.

        We've had incidents involving sewage and still managed to get information and contact those who's documents were affected.

        1. phuzz Silver badge

          Re: RTFM

          Your name is wrong.

          You're clearly at least 73% mad.

        2. Pascal Monett Silver badge

          Re: exposed to rain, doesn't mean they aren't readable

          I think that that would depend on how long they've been exposed.

          I'm pretty sure they don't use waterproof ink on those things.

          1. katrinab Silver badge

            Re: exposed to rain, doesn't mean they aren't readable

            These days it is usually laser printer toner, which is pretty waterproof.

            1. Noram

              Re: exposed to rain, doesn't mean they aren't readable

              But is it mold/being nibbled by slugs, rats and insect proof, or even just the water causing pages to stick together.

              I would tend to take "exposed to rain" to include the after effects of the exposure.

              1. Halfmad

                Re: exposed to rain, doesn't mean they aren't readable

                On 100% of the paper?

                It's something the El'Reg readers are totally inconsistent on. They may be experts on database tech, auditing etc but the basics - go right over their heads.

                They didn't even list an estimate for the number of people, that means it was all binned prior to ICO investigation, or the ICO completely failed to push them on it. Either of these is bad for the data subjects.

                I 100% guarantee the average punter off the street would have been able to get some identifiable information from that pile of papers, it's not as if it was submerged in a swirling swimming pool.

                1. FlamingDeath Silver badge

                  Re: exposed to rain, doesn't mean they aren't readable

                  I agree with Halfmad, the ICO are clearly out of their depth and most of what we get from them is window dressing. I doubt the ICO discovered this themselves independently, most likely is a good natured person took some time out of their day and reported it to them.

                  I can only go by what I observe, and all I observe with them is ineptitude and their clueless approach to the problem

        3. Loatesy

          Re: RTFM

          "and as a result were damaged by rain water, the ICO claimed."

          pretty straight-forward to me . . .

    2. TheVogon

      Re: Unknown number of people?

      Going insolvent without paying it like all the rest?

  2. iron Silver badge
    Thumb Down

    > Brexit will trigger... a "UK GDPR"

    Great, more websites refusing to let me view their pages because they can't be bothered to keep up with this law and its easier just to block everyone from UK.

    1. Anonymous Coward
      Anonymous Coward

      I've never understood why companies bothered to do go to the effort of blocking people.

      If you own a company in America, trading in America and somebody happens to visit from the EU and is subject to the GDPR then so what? That's their problem, not yours.

      The GDPR can only be enforced against a foreign company if that company actually has a local subsidiary in the EU. In extremis the EU commission might decide to block payments to a particular US company that was accepting and processing orders from EU customers, but honestly I think they'd struggle to do even that.

      They certainly wouldn't be able to impose fines for noncompliance; foreign courts would (quite rightly) point out that courts don't have jurisdiction out of their territory and refuse to enforce their decisions.

      1. Anonymous Coward
        Anonymous Coward

        Enforcement could be carried out against representatives of the company on a business trip to the EU via seizure of company assets. Likewise any assets that might pass through EU territory.

        1. WolfFan Silver badge

          And if the company in question never sends anyone on business trips to Europe, or doesn’t have any presence in Europe, and ships their assets in ways which do not enter Europe? This attitude is precisely why the place I work has simply geoblocked IPs from the EU. We have told our (very few) customers in the EU goodbye and have stated on our ToS that we do not offer service to the EU. The only data still present on EU residents is in our backups, and as those age out (for tax reasons we must keep some records for seven years) that data will be removed. At least two potential customers have attempted to use VPNs to get past our geoblocking; we terminated the (fraudulent) contracts when we discovered them. We do not want to hold any PI on EU residents. We don’t want your business. Find someone in the EU to do what we do, there must be someone, and if you have a problem, that’s _your_ problem, not ours. We are not in advertising, we don’t give a damn about tracking beyond getting our services to the correct address and we are simply unwilling to comply with any right to be forgotten which might conflict with keeping data for taxes. Once past the IRS’ requirements, that data will be gone, but not one millisecond before. If this upsets someone, how sad, too bad, come over here and do something about it. We have zero assets of any kind in the EU, as of this nonsense we stopped going to conferences and such in the EU, our clients in Africa and the Middle East can be served without anything entering EU territory or airspace.

          I, personally, have not been in the EU since the late 1970s. I no longer have very many close relatives in the EU, and, frankly, have little interest in EU tourism, especially as some bright lad might try to enforce EU bullshit on me personally.

          Let the downvotes begin.

          1. katrinab Silver badge

            The UK requires tax records to be held for 6 years after the tax return deadline, or if you submit the return late, 6 years from when you file it. That means in practice for about 7-8 years from when the transaction took place.

            If you are required to hold records for tax purposes, whether it is HMRC, IRS or anyone else, that's fine. The GDPR doesn't interfere with that. It only gets involved if you start using your tax records for another purpose.

      2. Richard 12 Silver badge

        Or they could just *not collect* any of the data of EU visitors.

        You know, serve adverts that are merely relevant to the content on your specific website instead of trying to "personalize" them and acting like that creepy guy who follows you around all the time taking notes about everywhere you go and everything you say and do.

        Compliance is trivial, all you need to do is grind your marketing department into a red goo every time they suggest tracking people is a good idea.

        1. WolfFan Silver badge

          It’s not the tracking which concerns some of us, it’s the “you gotta delete”. Which may well make tax compliance difficult. We don’t track, we don’t spam, we simply don’t bloody care. We do care about the IRS. So we no longer do business with EU residents.

          1. Mephistro

            "...Which may well make tax compliance difficult."

            There is an explicit exemption in GDPR for data needed to fulfil legal obligations, e.g. taxes and such.

            1. Claptrap314 Silver badge

              So the cost of proving you need the data--who pays for that? GDPR a tax for doing business in the EU. Not every business is going to be happy to pay that.

              Sheesh, people. I get dumped on all the time when I say that if you do business in the US, you must comply with our laws. You folks are demanding that people do business in the EU!

              If you do business in jurisdiction X, follow the laws in X. If you don't like the laws in X, don't do business there.

              What is hard about this?

              1. Mephistro

                "So the cost of proving you need the data--who pays for that?"

                Most of said cost is very small, i.e. several simple forms (including links to the particular laws that define what data must be kept) and little to no human supervision. If the American (or Whereverian :^) company only keeps the data they need to comply with their legal obligations and only for the mandatory period, everything can be automated in a few hours, and it's a one time charge (unless the laws change).

                Things get complicated, though, if they try to keep any other kind of data, or if they expect to sell space in their webpages to the usual suspects (G, FB, etc.)

                To make my point clear: I understand that for pop & mom shops with minuscule online sales to the EU, the most cost effective solution could be geoblocking, but for anything above that (i.e. most companies that sell online to the rest of the world) the cost should be peanuts.

                1. WolfFan Silver badge

                  1 according to our legal and accounting people, the cost would not be peanuts, and it would be on-going, as it would apply _every time we added a new EU-based client. It would be additional expenses. We could just pass the cost to the customers by raising prices. We see no reason to have a two tier pricing system, one price for the EU and one price for everyone else. And I believe the raising prices to cover GDPR is a no-no anyway.

                  2 the definition of ‘other kind of data’ is critical. If, in our opinion, we need certain data, but in the EU’s opinion we don’t, there will be an expensive problem.

                  3 we really don’t care for that 4% of the gross penalty.

                  4 you have to delete data on demand, even if the reason is stupid or there is no reason. We have data for a reason and no, we are not leaving holes in our databases because some idiot has a hissy fit.

                  Simple solution: do no business in the EU.

                  1. Mephistro

                    "If, in our opinion, we need certain data, but in the EU’s opinion we don’t..."

                    Quoting the relevant USA laws regarding mandatory data retention in the terms and conditions and the forms would get rid of the issue.

                    "the cost would not be peanuts, and it would be on-going, as it would apply _every time we added a new EU-based client."

                    That's what this newfangled things, automation and IT, are for. In this context, very easy stuff unless you or your "partners" are intent on selling clients data to "third parties". If this is the case, things get exponentially more difficult, which is, IMHO one of the main points of GDPR.

                    "you have to delete data on demand..."

                    This can be done through an user facing form and some simple database code, unless -again- the company involved is trying to slurp as much data from customers as they can.

                    "we are not leaving holes in our databases..."

                    Why? Do you intend to keep customers data forever? For what reason?

                    It might well be the case that it makes sense for your business to geoblock the EU and if this the case, please geoblock at your leisure, but I get the impression that many American companies doing this could have been misled in regard to the GDPR and its application.

                    1. WolfFan Silver badge

                      The data gets removed when it ages out... and not one millisecond before. As I stated earlier. No, we don’t keep it forever. Yes, we do keep it until we no longer need it... and _we_ decide when that is. No, we will not be paying extra just to satisfy the EU. It’s much simpler to just not do any business with EU residents. Problem done.

                    2. whitepines

                      Why is automation even coming into the picture here? My understanding of the GDPR is that you create some company wide documents (privacy policy, data retention policy, etc.) and check them once to make sure they're in compliance. Then they just sit there, being used to guide designs of any kind of system or process that handles user data.

                      As far as holes in any database, aren't the two main areas where that would even be any kind of problem invoicing (ERP) and corporate Email? Where a US company could simply say "our retention policy is permanent retention for taxation and legal defense purposes", especially considering the only PII in play would be address, phone, and Email? If those are in a dedicated, segregated, secured system (definitely ERP should be already for business reasons), and marketing has zero access, then it should be considered reasonable retention?

                  2. Mike 137 Silver badge

                    Not quite...

                    1. National legislations in several jurisdictions are beginning to align their data protection legislation with the GDPR anyway (some are even more demanding), and this is not a new problem anyway. A decade ago I had to review worldwide data protection legislation for a multinational, and we found there were around 30 different national requirements to fulfil. The idea that the GDPR is the first time you needed to take foreign data protection law seriously is a dangerous myth.

                    2. The GDPR doesn't define any data as "critical". It defines certain categories as sensitive, but these are essentially the same categories as were defined as sensitive under the EU Directive and thus under our UK DPA 1998. So no change there.

                    3. In which case you'll probably be awarded it. The maximum penalties are assigned where wilful negligence or intent to act unlawfully are in evidence.

                    4. The GDPR right of erasure is qualified by the data in question no longer being required for legitimate declared business purposes, so this is also a non-problem.

                    The best solution would be to take advice from people who actually know what they're talking about. Every Tom Dick and Harry has suddenly become an "expert" on the GDPR, and almost all of them are talking tosh, probably due to the five-day-and-pub-quiz Data Protection Officer crash courses. Would you employ a CFO who'd only taken a one week course in accounting?

              2. Doctor Syntax Silver badge

                "What is hard about this?"

                Nothing, apart from the fact it isn't a tax, it's just that whatever you need to do to comply with the law wherever you trade is a standard cost of doing business..

                So why do US businesses come here winging about having to obey the laws of the countries they want to do business in? Is it just the general view that US law should apply everywhere?

            2. Mike 137 Silver badge

              "There is an explicit exemption in GDPR for data needed to fulfil legal obligations"

              There isn't an "exemption" (explicit or otherwise) as it's not needed anyway. Retention can be on any basis you choose provided you justify, document and adhere to that basis. You're even allowed to describe the basis on which you decide retention periods rather than specifying a finite duration (e.g. "until no longer required for taxation claims").

              In event of challenge, the supervisory authority should however be likely to agree that your retention criteria are reasonable, so you do have to be specific whichever of the two approaches to defining and documenting it you choose to adopt.

      3. Mike 137 Silver badge

        "if that company actually has a local subsidiary in the EU"

        Actually it can be enforced if a business in a third country markets or delivers its services in the EU. If that is the case, the business must appoint a representative in the EU to which data subjects can apply to exercise their rights. The marketing has to be envisaged, so a chance enquiry or purchase by a data subject in the EU does not automatically qualify, but if for example the business web site supports EU languages or currencies it will.

    2. Doctor Syntax Silver badge

      It's nice of such sites to warn us that they can't be trusted.

  3. HarryCoh

    If the company is this Doorstep Dispensaree Limited, then I suspect the ICO can go whistle for their fine.

    A one man company with negative assets of £559k!

    1. Jan 0 Silver badge

      If you were taking care of people, would you do business with a company with such a childish name?

  4. Old Tom

    No, 'No Deal' plans will not apply if we leave as planned

    "Come Jan 31, if the UK leaves the EU as planned, Brexit will trigger a statutory instrument that changes some text to create a "UK GDPR". The little kingdom's Data Protection Act 2018 will also get tweaked. You can see the expected changes here. ®"

    No, your link is to changes planned for "the event the UK leaves the EU without a deal". Come Jan 31, if the UK leaves the EU as planned, 'no deal' plans will not come into effect. Please keep up.

    (Unless, of course you're talking about Ben and Holly when you mention a 'little kingdom'.)

    1. Anonymous Coward
      Anonymous Coward

      Re: No, 'No Deal' plans will not apply if we leave as planned

      The "No Deal' exit is still on the table for 31st Dec 2020 if there is no Trade Deal with the EU by the end of June. Given that El Supremo Bojo has removed certain EU workers rights from the withdrawal agreement then as he has IMHO clearly wanted since the day he came out on the side of EXIT in 2016, we will exit with 'No Deal'. Then we'll see the fun really start.

      Bail outs from the IMF (As happened in the late 1970's) perhaps?

      Just my useless 2p worth of thoughts.

    2. Dan 55 Silver badge

      Re: No, 'No Deal' plans will not apply if we leave as planned

      The article is right, look at the document called Keeling Schedule for GDPR for what happens in the event of a deal.

      1. Mephistro

        Re: No, 'No Deal' plans will not apply if we leave as planned

        I think there's a typo in your comment. Knowing BoJo, it should be "Killing Schedule for GDPR".


    3. Doctor Syntax Silver badge

      Re: No, 'No Deal' plans will not apply if we leave as planned

      The URL suggests that that's the site to deal with DP implications of leaving the EU so it's scarcely el Reg's fault if that's the best HMG can do. However you need to remember that the end of January just decants us into a transition period during which a deal is to be negotiated. As yet that deal doesn't exist and until it does No Deal is the actual situation beyond the end of next year. So as far as I can make out the site is telling it like it is.

      1. John Brown (no body) Silver badge

        Re: No, 'No Deal' plans will not apply if we leave as planned

        I think people are getting confused about "deal" and "no deal" and what it/they refer to. The "deal" is the one between the UK and EU on beginning the process of leaving the EU and the transition period. That's what the recent vote was about. We "leave" the EU on Jan 31st but pretty much everything stays just as it is now until Dec 2020, the end of the transition period. At that point, we need another deal in place, eg a trade deal to define our future relationship with the EU post-transition period.

  5. macjules

    I wish it could be Christmas every day

    Bet that's what the ICO are singing at the moment. GDPR is almost a license for them to print money.

    1. Richard 12 Silver badge

      Re: I wish it could be Christmas every day

      They seem remarkably unwilling to open that piggy bank for some reason.

    2. katrinab Silver badge

      Re: I wish it could be Christmas every day

      A licence to print IOUs drawn on bankrupt companies.

    3. Fruit and Nutcase Silver badge

      Re: I wish it could be Christmas every day

      Let's see some big scalps.

  6. Dan 55 Silver badge

    Does it really matter any more?

    You can hand over patient data on silver plate to Google and Amazon and it's all deemed above board. Seems to me if there was one thing GDPR was designed to stop it's shenanigans like that.

  7. Doctor Syntax Silver badge

    Maybe they thought that just because it isn't on a computer it's not data.

    1. Alan Brown Silver badge

      "Maybe they thought that just because it isn't on a computer it's not data"

      Lots do. I've even had councils make that claim.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like