The Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, has recently issued guidance outlining its approach to the enforcement of data protection obligations during the COVID-19 pandemic.
The COVID-19 pandemic presents unprecedented challenges for organisations across the whole range of their activities. In the context of data protection, in March 2020 the ICO issued specific guidance “Data Protection and Coronavirus: what you need to know” on the data protection issues arising in the context of the pandemic and on which we reported previously. The ICO has now confirmed specifically the approach it will take to the enforcement of data protection obligations in light of its role as an independent regulator acting in the public interest and its approach of being a pragmatic and proportionate regulator.
The ICO’s Approach
In its guidance the ICO has confirmed that it will:
- Adopt an “empathetic and pragmatic approach,” acknowledging that during the COVID-19 pandemic organisations will face staff and operating capacity shortages as well as acute pressures impacting their finances and cashflow.
- Be flexible in its approach, taking into account the impact of the potential economic or resource burden that its actions could place on organisations.
- Act proportionately, balancing the benefit to the public of regulatory action against the potential detrimental effect of doing so, whilst always having an eye to the challenges faced by many organisations in the current situation.
- Apply its flexible and pragmatic approach during the crisis and potentially for the months to come due to its ongoing impact.
- Keep its guidance under review and may issue further updates.
Notification of Data Breaches
Whilst the obligation to notify the ICO of data breaches within 72 hours remains in place, the ICO acknowledges the potential impact of the current situation and will take “an appropriately empathetic and proportionate approach.”
Subject Access Requests
The applicable statutory deadlines remain in place and have not been varied. The ICO recognises that pressures on resources could impact the ability of organisations to respond to subject access requests in the required time frame where they need to prioritise other work due to the current crisis. The ICO has therefore confirmed that it will take the impact of the COVID-19 pandemic into account when considering whether to impose any formal enforcement action.
In deciding whether to take formal regulatory action, including issuing fines, the ICO will take into account whether the organisation’s difficulties result from the COVID-19 crisis and if it has plans to put things right at the end of the crisis. Organisations may be given longer than usual to rectify any breaches prior to the COVID-19 pandemic in circumstances where it impacts the organisation’s ability to take steps “to put things right.”
The ICO has indicated that it takes into account the economic impact and affordability of fines it imposes and that the level of fines is likely to reduce in the current situation.
The ICO expects there to be fewer investigations on the basis that it will focus on cases indicating serious non-compliance. Nonetheless it will take a “strong regulatory approach” in relation to any organisation “taking advantage” of the current situation.
In relation to the conduct of investigations, the ICO will take into account the particular impact of the pandemic on organisations and this may lead to reduced use of its formal powers to require the production of evidence and longer periods for organisations to respond.
The ICO’s guidance provides comfort to organisations that it will take a pragmatic view of its enforcement obligations taking into account the impact of the COVID-19 pandemic. However, this is inevitably a context-specific approach and does not provide organisations with an excuse not to do all they can to ensure compliance with their data protection obligations. If difficulties arise in compliance, organisations will need to be able to justify their approach.