The ICO has issued a £25,000 fine under the UK GDPR to transgender charity Mermaids after it failed to keep the personal data of its users secure on an internal email group. The ICO investigation revealed 780 pages of confidential emails related to 550 people were viewable online for almost three years. The personal data of 24 of those people were sensitive, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed. The ICO found Mermaids should have restricted access to the email group and could have implemented pseudonymisation or encryption for extra protection.
Read the penalty notice.