For many organisations adapting to the significant financial and resourcing pressures brought about by the Covid-19 pandemic, data protection may not be top of the agenda. However, the adoption, often at very short notice, of new working practices (including a dramatic rise in home-working) has brought with it the potential for increased cyber and data security risks. This is a subject we looked at in a recent article posted here.
Many businesses are wondering what Covid-19 means for data protection compliance. We have considered recent guidance issued by the UK’s data regulator, the Information Commissioner’s Office (ICO), to answer some common questions.
Like many organisations in the private as well as public sphere, the ICO has been forced to reassess its priorities and resourcing in the light of the current pandemic. It also recognises that organisations are facing staff and operating capacity shortages, as well as acute financial pressures impacting their finances and cash flows. The ICO has underlined its “pragmatic and proportionate” approach as a regulator – what might this mean for its enforcement activities in the coming months?
What are the current requirements for reporting a data breach?
The ICO has made clear that there is to be no amendment to the GDPR requirement to report personal data breaches without undue delay and within 72 hours of the organisation becoming aware of the breach. Any change to the statutory timescale would require a change in law. However, the ICO acknowledges that the current crisis may impact organisations’ ability to comply with this time frame and has said it will take an “appropriately empathetic and proportionate approach”.
When it comes to carrying out investigations into reported breaches, the ICO has said it will take into account the particular impact of the crisis on that organisation. This is likely to result in fewer investigations overall, allowing the regulator to focus on more serious cases, as well as relaxing requirements on submission of evidence and allowing longer periods for organisations to respond to the ICO’s enquiries.
Will my organisation have more time to respond to a subject access request (SAR)?
The GDPR requirement for data controllers to respond to subject access requests by data subjects within one month has proved challenging for many organisations. The increased practical difficulties posed by the reduction in staffing levels and a more disparate workforce, means compliance within the time frame could be harder for some organisations to achieve in the current climate.
Again, there is no formal relaxation of the statutory timescale to respond to a subject access request. But the ICO has advised that it recognises that the current crisis may impact organisations’ response times where they need to prioritise other work. Where that is the case, the ICO says it will take this into account when considering whether to impose any formal enforcement action.
What can we expect from the ICO’s enforcement activities in the current crisis?
The ICO has indicated that it will continue to exercise its important role in dealing with data protection breaches and complaints by the public. Its published guidance warns that it will come down hard on any organisation breaching data protection laws to take advantage of the public health emergency, calling out the making of nuisance calls and the misuse of personal information specifically.
Whilst making clear that, by law, the ICO needs to take into account certain criteria when taking enforcement action, it also highlights the flexibility the legislation allows in the exercise of its regulatory powers.
In practice, this “flexible” approach to regulatory action, including the issuing of fines, means the ICO will take into account whether the organisation’s difficulties arise from the crisis itself and what plans it has to put things right when the situation ends.
Where a breach pre-dates the crisis but remedial work is still in process, the ICO may allow organisations longer than usual to put things right if their ability to do so is impacted by the crisis.
More specifically, the ICO have said they are suspending regulatory action in connection with outstanding information request backlogs.
They have also indicated that they may not take enforcement action against organisations who fail to pay or renew their data protection fee, provided they can show that this is specifically due to economic reasons linked to the current situation, and where the organisation gives adequate assurance as to the timescale within which payment will be made. Most organisations which process personal data are required to pay an annual data protection fee. See here for more information.
When it comes to issuing fines generally, the ICO has advised that it will take into account the economic impact and affordability for the organisation involved. We cannot expect a suspension of fining activities, but the ICO has indicated that the level of fines is likely to be reduced during this period.
In short, whilst the ICO is likely to be understanding towards those whose ability to comply is genuinely hampered by the immediate demands of the current crisis, organisations should not neglect their data protection obligations whilst meeting the immediate demands of the current crisis.
Indeed, new risks and challenges may be presented by different working practices, and organisations should continue to assess the impact of these changes on data protection compliance and do their best to minimise risk. Any organisation seeking to exploit the public health emergency in order to make inappropriate use of personal data is likely to feel the full weight of the ICO’s regulatory powers.