The U.K.’s data protection regulator, the Information Commissioner’s Office (ICO) has today issued guidance setting out how it intends to approach the enforcement of the General Data Protection Regulation (GDPR) during the ongoing Coronavirus pandemic. Although the U.K. left the European Union on 31 January 2020, the GDPR continues to apply as an EU Regulation during the transition period (which runs until 31 December 2020) and under U.K. domestic law.
Below we set out the key points to note from this guidance. For further information, please read our earlier update on GDPR and COVID-19.
This is not the time for GDPR compliance to take a back seat.
A key point to emphasise is that, whilst the ICO has indicated that it will do its best to be forgiving in these times, the law remains in place and all data controllers and processors are still required to work to ensure compliance — or risk having enforcement action taken against them.
Notably, the ICO has reiterated that organisations must continue to report all data breaches to the ICO as soon as possible and, in any event, within 72 hours of becoming aware of the breach. The ICO does, however, acknowledge that the current crisis may impact the ability of organisations to do so and will take an appropriately empathetic and proportionate approach.
The ICO has also issued a warning that it will take firm action against anyone looking to “exploit” this crisis through misuse of personal information or nuisance calls to the public, clearly with a view to taking a tough line on COVID-19-related internet scams and other misuses of personal data.
Expect a pragmatic approach to the ICO’s regulatory action.
Key points which the ICO has indicated include that:
- There will be fewer investigations at this time, with a focus on the most serious breaches.
- There will also likely be lower financial penalties, with the ICO taking the specific situation of each organisation into consideration.
- There may be some allowance for delays when it comes to reporting breaches and providing requested evidence to the ICO,
- Any formal regulatory action relating to outstanding information request backlogs will be suspended.
- Any organisations struggling financially where this is specifically linked to COVID-19 may be able to delay payment of their data protection fee, provided they give adequate assurance to the ICO of a plan for future payment.
- There is a recognition that many organisations have a vastly reduced resource capacity meaning they will be impaired in responding to Subject Access Requests. As a result, this will be considered by the ICO when deciding whether enforcement action is appropriate.
With many businesses operating online for the first time and others expanding their working from home practices, there are plenty of new challenges for ensuring compliance with GDPR. Whilst clear that it will not turn a blind eye to breaches, the ICO has confirmed that it will continue to adapt its approach as necessary to ensure it remains committed to serving the public interest at a time when businesses are facing unprecedented challenges. This is a welcome dose of pragmatism for many U.S. businesses operating in the U.K., although businesses operating throughout the EU will need to assess guidance from national regulators in the countries in which they operate. While the GDPR aims to achieve consistency and cooperation between regulators, there continue to be significant divergences which will need to be taken into account, despite the general public health, commercial and financial challenges.
For further information, please refer to the ICO’s published approach here.
Faegre Drinker Associate Charlotte Perowne co-authored this alert.
As the number of cases around the world grows, Faegre Drinker’s Coronavirus Resource Center is available to help you understand and assess the legal, regulatory and commercial implications of COVID-19.