This article was written by Ian Bond.
The ICO previously emphasised that data protection legislation should not prevent organisations appropriately responding the COVID-19 public health emergency. This recent guidance helps to provide some more detail on what this means from a regulatory perspective.
Highlights from the document include:
- The regulator has signalled that it will take into account the economic and resource impacts of COVID-19 on organisations in its regulatory approach. This could impact (i) the time given to organisations to rectify breaches predating the crisis, (ii) ICO decisions whether to take formal regulatory action and issue fines and (iii) the regulator’s response to complaints against organisations by the public, where the ICO is of the view that the issues or their resolution are affected by the pandemic.
- Reportable personal data breaches should still be notified to the ICO without undue delay and within 72 hours of becoming aware. The ICO is to take an appropriate 'empathetic and proportionate' approach to assessing reported incidents.
- The regulator expects to reduce its exercise of formal investigative powers and requests for information; the ICO’s attention will be focussed on activities that suggest serious non-compliance with data protection laws.
- All formal regulatory action in connection with outstanding information requests will be suspended and the ICO will delay issuing regulatory guidance that could impose a regulatory burden that diverts staff from frontline duties wherever possible.
- The ICO anticipates that the level of enforcement fines will reduce in current circumstances. However, a strong regulatory approach will be taken against organisations contravening data protection laws to exploit the current public health emergency.
The regulator’s paper concludes that it expects to have to demonstrate continued flexibility in some areas for many months to come due to the significant effects of the crisis; unfortunately this is a message that is likely to be a theme across a regulatory landscape that extends far beyond the remit of the ICO.