UK Data Regulator Issues Update on Approach to Enforcing GDPR during COVID-19

The UK Information Commissioner's Office (ICO) recently issued guidance setting out how it intends to approach the enforcement of data protection legislation during the novel coronavirus pandemic. While it confirms what had been widely anticipated, it provides useful assurance to organisations, including those in financial services, seeking to maintain data protection compliance, including the EU General Data Protection Regulation (GDPR), as implemented in UK law.

The pandemic is bringing unprecedented challenges to governments, businesses and wider society. During this time, with most of the global population in some form of lockdown and with employees and businesses navigating remote working and changes to business operations, data privacy and security concerns are greater than they have been even in recent years. For those in the financial services sector, the risk is particularly acute, not least given additional regulatory requirements for this industry.

Below are the key points to note from this guidance and highlight the measures of particular relevance for the financial services sector.

This is not the time for data protection compliance to take a back seat

The first point to emphasise is that, while the ICO has indicated that it will do its best to be forgiving in these times, the law remains in place and all data controllers and processors are still required to ensure compliance or risk punitive action taken against them. Financial services firms have access to a significant amount of personal data, including data that is highly sensitive, and so the high standards set by industry leaders will be expected to be maintained.

Report, report, report

The ICO has reiterated that organisations must continue to report all data breaches to the ICO as soon as possible and in any event within 72 hours of becoming aware of the breach. Financial services firms will be expected to manage this effectively and have contingency plans in place which work well, even with staff working remotely and/or reduced staff numbers if some have had to be furloughed.

Organisations should review and update their incident response plans to ensure that they can be implemented quickly by physically dispersed teams. The increased number of incidents, including phishing attacks are stretching internal and external resources and presenting new challenges. For example, simply recovering a compromised laptop from a home worker to perform forensic analysis will be a longer process. Similarly, liaison with external forensic teams (which are seeing a spike in demand) may take longer.

Scammers will be prosecuted

The ICO has also issued a warning that it will take firm action against anyone looking to "exploit" this crisis through misuse of personal information or nuisance calls to the public. This is something that will be in some respects welcomed by those in financial services, given the rise in scams and frauds being perpetuated against members of the public, often at cost to the finances and/or reputation of financial institutions.

Information campaigns are of vital importance at this time to ensure that the general public are aware of the risks and can protect their own finances, and to shore up the reputation of financial service institutions. These must however be disseminated in a way that is consistent with customers' communications and marketing preferences.

Expect "relaxation" in the ICO's approach to regulatory action

The ICO has indicated a number of ways in which it will relax the approach to enforcement taking into account the unprecedented situation. The approach will continue to be pragmatic and will allow for the additional pressures at this time. For example, with businesses across the economy heavily reliant on government loan schemes administered through financial services institutions, there is likely an awareness that maintaining cashflow and reducing burdens to allow efficient service to keep the economy moving is paramount and the ICO will be keen not to take action that would seek to threaten this delicate balance.

Fewer, more focused investigations

Firstly, the ICO has announced that there will be fewer investigations, given the strain on resources, and a focus on the most serious breaches. For financial services institutions, this will likely have minimal impact because of the higher risks associated with a data breach in this sector and the plethora of requirements from other regulators that must in any event be met. As mentioned above, it is also made clear that this flexibility is by no means an excuse to take a relaxed approach to compliance.

Financial penalties and regulatory action

The ICO has indicated there will likely be lower financial penalties because it will take the specific financial situation of any infringing organisations into consideration. It has also stated that any formal regulatory action relating to outstanding information request backlogs will be suspended during this time. This will be welcome news for any institutions currently dedicating resources to responding to such actions in that these can now be better directed at this time of particular strain.

Allowances for reduced capacity

There is a recognition that many organisations have significantly reduced operational resources, as they prioritise work in other areas, potentially slowing their responses to data subject access requests. This will be considered by the ICO when deciding whether enforcement action is appropriate. However, this will largely be at the ICO's discretion, and should not be assumed. If reporting or responding in a full and timely manner is achievable, this should still be the target.

Public interest remains a primary focus

With many businesses operating online for the first time, including setting up online payments, and others expanding their working from home practices, there are plenty of new challenges for ensuring compliance with data protection legislation. While clear that it will not turn a blind eye to breaches, the ICO has confirmed that it will continue to adapt its approach as necessary to ensure it remains committed to serving the public interest at a time when businesses are challenged in ways that are unprecedented.

Key takeaways for financial services organisations

Financial services organisations must ensure that they maintain a high level of compliance with data protection legislation, including the GDPR, even with the allowances made by the ICO. Internal policies and protocols should be updated to account for changes to working practices and personnel that might have an impact on the ability of organisations to meet GDPR compliance and reporting requirements during this time.

Employees should be educated of the increased risks, particularly relating to phishing scams requesting personal data and seeking to misdirect payments. With more limited face-to-face interaction, employees working from home in isolation are far more likely to fall victims to such attacks, which are increasing in sophistication and intensity. Internal reporting procedures should be reviewed, and appropriate resources should be allocated to data security and IT teams for concerns to be reported and investigated internally.

Additional risks associated specifically with remote working should be taken into account, including technical risks resulting from VPNs struggling with a spike in remote workers, and human risks from workers not being monitored in a controlled environment as they would be in an office and so succumbing to human nature and being tempted to take short-cuts relating to security simply to get their job done.

Organisations should also continue to closely monitor third party suppliers of any functions that have been outsourced, in particular, reviewing and enforcing audit provisions in data processing agreements – however challenging this may be at the present time.

The ICO will continue to approach enforcement in a pragmatic way but has promised to come down hard on any flagrant abuse, which suggests a cautious approach, as ever, is sensible.

Originally published by ThomsonReuters © ThomsonReuters.