GDPR compliance is mandatory regardless of the Coronavirus pandemic and these unprecedented times we find ourselves in.
So the law remains the same, but how will it be enforced?
The Information Commissioner’s Office (ICO) has changed its enforcement strategy in response to the COVID-19 pandemic.
In May this year the ICO drew attention to its new policy document explaining how the regulator’s priorities had shifted in response to COVID-19. Included in these documents was an explanation of how the ICO intended to focus its resources when enforcing data protection compliance during the pandemic. On 24 September the ICO updated its regulatory approach document a further time.
The below sections set out the ICO’s guidance at the start of the pandemic and following the most recent policy change on 24 September.
The ICO’s approach on GDPR compliance from 24 September 2020
In its update the ICO repeated its commitment to taking an ‘empathic and pragmatic’ approach to its enforcement activities (summarised below). The exception being organisations which break data protection law in order to take advantage of the pandemic, who will continue to face a ‘strong’ regulatory response from the ICO.
The ICO noted that organisations’ resources were shifting back to dealing with information rights complaints. Organisations with a backlog of complaints must implement a ‘robust’ recovery plan to reduce the backlog within a ‘reasonable timeframe’.
Importantly, the ICO will be recommencing regulatory action in connection with information request backlogs which pre-date the pandemic.
The ICO’s temporary suspension of enforcement action for Freedom of Information Act (FOIA) backlogs has also now ended. The ICO ‘may’ unpause formal monitoring and regulatory action that was in taking place before the pandemic.
These changes mark the start of the ICO winding back the leniency given during the height of the pandemic. The ICO is sending a clear message to organisations with backlogs of data protection and other information rights complaints that a robust plan of action is required to clear them.
A hallmark of the ICO’s ‘empathic and pragmatic’ approach has been taking into consideration the economic impact and affordability of fines, meaning the level of fines has reduced overall. This is expected to continue although the ICO may now be quicker to use its other regulatory powers to take action against organisations which don’t comply.
If your data protection and FOIA compliance has taken a back seat during the pandemic then now is the time to try and get back on top of things. Implementing catch-up policies will help demonstrate your organisation’s commitment to becoming fully compliant again. These policies are a necessity if your organisation has a backlog of complaints.
Resources should also be reallocated to dealing with pre-pandemic ICO investigations as these are likely to resume in the near future.
The ICO’s approach on GDPR compliance before 24 September 2020
In May 2020 the ICO announced its intention to focus its resources on areas where it could have the greatest impact to protect the public interest and support economic growth and innovation.
The updated guidance acknowledged the unfortunate reality that:
- organisations were facing staff and operating capacity shortages;
- health, local and central government, charities and law enforcement public authorities were facing severe front-line pressures and were redeploying resources to meet those demands; and
- organisations were facing acute financial pressures impacting their finances and cashflows.
In response, the ICO would be taking an ‘empathic and pragmatic approach’ to responding to complaints which arise out of the above circumstances. In particular:
- The ICO indicated that it may grant organisations more time to respond to its enquiries and to rectify any breaches which result from the current crisis where organisations are recovering their services.
- The ICO reiterated that it would take an ‘appropriately empathic and proportionate approach’ to enforcing the 72 hour maximum deadline for reporting personal data breaches where reporting has been impacted by the pandemic.
- When conducting investigations, the ICO would take into account the particular impacts of the current public health emergency on the organisation. The ICO may allow the organisation longer to respond to enquiries. Additionally, the ICO may use less-formal powers to obtain evidence whilst investigating.
- In deciding whether to take formal regulatory action, including whether to issue fines, the ICO would take into account whether the organisation’s difficulties result from the crisis. If the organisation had plans to rectify its breach at the end of the crisis then that will also be taken into consideration.
- The ICO may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
- The ICO would take into consideration the economic impact and affordability of fines before issuing them. This means the average level of fines was expected to decrease.
- The ICO may not come after organisations who fail to pay or renew their data protection fee if they could demonstrate that the failure was due to economic reasons linked to the present situation, and provided the organisation agreed a timescale with the ICO for making payment.
- The ICO would recognise an organisation’s reduced resources where the shortage impacts their ability to respond to data subject access requests (DSARs) due to prioritising other matters.
The ICO could take this into account when considering whether to impose any formal enforcement action (such as fines).
Significantly, the ICO also announced that all formal regulatory action in connection with outstanding information request backlogs would be suspended. It was assumed that these actions would resume at some point in the future, and this has since been confirmed.
What about Freedom of Information Act and Environmental Information Regulations requests?
The ICO will take a similarly empathic and pragmatic approach to public bodies’ compliance with Freedom of Information Act and Environmental Information Regulations requests. Full details are set out in the policy document.
A clear warning
The guidance is keen to stress that data protection law still applies, however. Data protection law has not been suspended during the crisis. Those intending to flout the rules have been issued a direct warning: the ICO will be taking a ‘strong’ regulatory approach to organisations breaching data protection laws to take advantage of the current crisis.
Data protection may not be at the forefront of your mind at the moment but it remains a crucial compliance issue. If you have any data protection questions then please contact Ryan Mitchell on 02380 482316 or email Ryan.
You may also be interested in reading the ICO’s COVID-19 guidance called ‘Data protection and Coronavirus: what you need to know’.
Our dedicated ‘Coronavirus – Legal advice and guidance‘ page contains advice and guidance on many issues affecting businesses, employers, the self-employed and employees. It is continually being refreshed as and when new updates are released by the government and other regulatory bodies. You can sign up to receive email notification as and when this page is updated with new/amended Coronavirus guidance by visiting the page and completing the simple registration form.