GDPR compliance is mandatory regardless of the Coronavirus pandemic and these unprecedented times we find ourselves in.
The Information Commissioner’s Office (ICO) has changed its enforcement strategy in response to the COVID-19 pandemic.
In May this year the ICO drew attention to its new policy document explaining how the regulator’s priorities had shifted in response to COVID-19. Included in these documents was an explanation of how the ICO intended to focus its resources when enforcing data protection compliance during the pandemic. On 24 September the ICO updated its regulatory approach document a further time.
The below sections set out the ICO’s guidance at the start of the pandemic and following the most recent policy change on 24 September.
In its update the ICO repeated its commitment to taking an ‘empathic and pragmatic’ approach to its enforcement activities (summarised below). The exception being organisations which break data protection law in order to take advantage of the pandemic, who will continue to face a ‘strong’ regulatory response from the ICO.
The ICO noted that organisations’ resources were shifting back to dealing with information rights complaints. Organisations with a backlog of complaints must implement a ‘robust’ recovery plan to reduce the backlog within a ‘reasonable timeframe’.
Importantly, the ICO will be recommencing regulatory action in connection with information request backlogs which pre-date the pandemic.
The ICO’s temporary suspension of enforcement action for Freedom of Information Act (FOIA) backlogs has also now ended. The ICO ‘may’ unpause formal monitoring and regulatory action that was in taking place before the pandemic.
These changes mark the start of the ICO winding back the leniency given during the height of the pandemic. The ICO is sending a clear message to organisations with backlogs of data protection and other information rights complaints that a robust plan of action is required to clear them.
A hallmark of the ICO’s ‘empathic and pragmatic’ approach has been taking into consideration the economic impact and affordability of fines, meaning the level of fines has reduced overall. This is expected to continue although the ICO may now be quicker to use its other regulatory powers to take action against organisations which don’t comply.
If your data protection and FOIA compliance has taken a back seat during the pandemic then now is the time to try and get back on top of things. Implementing catch-up policies will help demonstrate your organisation’s commitment to becoming fully compliant again. These policies are a necessity if your organisation has a backlog of complaints.
Resources should also be reallocated to dealing with pre-pandemic ICO investigations as these are likely to resume in the near future.
In May 2020 the ICO announced its intention to focus its resources on areas where it could have the greatest impact to protect the public interest and support economic growth and innovation.
The updated guidance acknowledged the unfortunate reality that:
In response, the ICO would be taking an ‘empathic and pragmatic approach’ to responding to complaints which arise out of the above circumstances. In particular:
The ICO could take this into account when considering whether to impose any formal enforcement action (such as fines).
Significantly, the ICO also announced that all formal regulatory action in connection with outstanding information request backlogs would be suspended. It was assumed that these actions would resume at some point in the future, and this has since been confirmed.
The ICO will take a similarly empathic and pragmatic approach to public bodies’ compliance with Freedom of Information Act and Environmental Information Regulations requests. Full details are set out in the policy document.
The guidance is keen to stress that data protection law still applies, however. Data protection law has not been suspended during the crisis. Those intending to flout the rules have been issued a direct warning: the ICO will be taking a ‘strong’ regulatory approach to organisations breaching data protection laws to take advantage of the current crisis.
Data protection may not be at the forefront of your mind at the moment but it remains a crucial compliance issue. If you have any data protection questions then please contact Ryan Mitchell on 02380 482316 or email Ryan.
You may also be interested in reading the ICO’s COVID-19 guidance called ‘Data protection and Coronavirus: what you need to know’.
Our dedicated ‘Coronavirus – Legal advice and guidance‘ page contains advice and guidance on many issues affecting businesses, employers, the self-employed and employees. It is continually being refreshed as and when new updates are released by the government and other regulatory bodies. You can sign up to receive email notification as and when this page is updated with new/amended Coronavirus guidance by visiting the page and completing the simple registration form.