GDPR compliance is mandatory regardless of the Coronavirus pandemic and these unprecedented times we find oursevles in. Since I wrote this blog back in March when the Coronavirus lockdown began, the ICO released an update on 7 May explaining the Regulator’s new priorities for UK data protection during COVID-19 and beyond. My guidance below reflects this new update.
Do I still need to comply with GDPR during the Coronavirus pandemic?
Yes! Data protection law hasn’t changed as a result of COVID-19. Organisations still have the same legal duties to comply with the GDPR and Data Protection Act.
The ICO’s intention is to focus its resources on areas where it can have the greatest impact to protect the public interest and support economic growth and innovation. The latest guidance acknowledges the unfortunate reality that:
- organisations are facing staff and operating capacity shortages;
- health, local and central government, charities and law enforcement public authorities are facing severe front-line pressures and are redeploying resources to meet those demands; and
- organisations are facing acute financial pressures impacting their finances and cashflows.
The ICO’s approach
In response, the ICO will be taking an ‘empathic and pragmatic approach’ to responding to complaints which arise out of the above circumstances. In particular:
- The ICO has indicated that it may grant organisations more time to respond to its enquiries and to rectify any breaches which result from the current crisis where organisations are recovering their services.
- The ICO reiterated that it will take an ‘appropriately empathic and proportionate approach’ to enforcing the 72 hour maximum deadline for reporting data breaches where reporting has been impacted by the pandemic.
- When conducting investigations, the ICO will take into account the particular impacts of the current public health emergency on the organisation. The ICO may allow the organisation longer to respond to enquiries. Additionally, the ICO may use less-formal powers to obtain evidence whilst investigating.
- In deciding whether to take formal regulatory action, including whether to issue fines, the ICO will take into account whether the organisation’s difficulties result from the crisis. If the organisation has plans to rectify its breach at the end of the crisis then that will also be taken into consideration.
- The ICO may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
- The ICO will take into consideration the economic impact and affordability of fines before issuing them. As a result of the current crisis this means the average level of fines is expected to decrease.
- The ICO may not come after organisations who fail to pay or renew their data protection fee if they can demonstrate that the failure was due to economic reasons linked to the present situation, and provided the organisation agrees a timescale with the ICO for making payment.
- The ICO will recognise an organisation’s reduced resources where the shortage impacts their ability to respond to data subject access requests (DSARs) due to prioritising other matters. The ICO can take this into account when considering whether to impose any formal enforcement action (such as fines).
Significantly, the ICO has also announced that all formal regulatory action in connection with outstanding information request backlogs will be suspended. Presumably these actions will resume at some point in the future.
What about Freedom of Information Act and Environmental Information Regulations requests?
The ICO will take a similarly empathic and pragmatic approach to public bodies’ compliance with Freedom of Information Act and Environmental Information Regulations requests. Full details are set out in the policy document.
A clear warning
The guidance is keen to stress that data protection law still applies, however. Data protection law has not been suspended during the crisis. Those intending to flout the rules have been issued a direct warning: the ICO will be taking a ‘strong’ regulatory approach to organisations breaching data protection laws to take advantage of the current crisis.
Data protection may not be at the forefront of your mind at the moment but it remains a crucial compliance issue. If you have any data protection questions then please contact Ryan Mitchell on 02380 482316 or email Ryan.
You may also be interested in reading the ICO’s COVID-19 guidance called ‘Data protection and Coronavirus: what you need to know’.
Our dedicated ‘Coronavirus – Legal advice and guidance‘ page contains advice and guidance on many issues affecting businesses, employers, the self-employed and employees. It is continually being refreshed as and when new updates are released by the government and other regulatory bodies. You can sign up to receive email notification as and when this page is updated with new/amended Coronavirus guidance by visiting the page and completing the simple registration form.