The UK’s data protection regulator, the ICO, has published guidance that data protection law should not stop organisations from adapting to respond to COVID-19. It is calling for a proportionate approach to sharing information and changing working practices during the pandemic.
Data protection officers (‘DPOs’) or, for those organisations not required to appoint a DPO, individuals that lead data protection compliance, have a key role to play in helping organisations to continue to adhere to the requirements of GDPR.
Here are five key actions DPOs can be taking to assist organisations:
1) Be visible
- With the increase in home working and likely changes to working practices it is an important time to communicate with employees to remind them about continuing obligations to comply with GDPR, information security and other data protection laws.
- It is worth checking that any internal and external DPO contact details are still correct, such as telephone numbers on published privacy notices.
- For some organisations it may be useful to appoint a deputy or assistant DPO. This can help with responding to data protection questions or covering any periods of absence.
2) Continue to assess the risks
- As resources may be stretched during this period, it will be especially important to continue to take a risk-based approach. The focus should be on the more risky activities. This is likely to be where special category data is processed or where the potential impact on individuals is greatest.
- If organisations are rapidly deploying new systems and processes to respond to COVID-19, data protection impact assessments (‘DPIAs’) can be useful. While it may not necessarily be appropriate to undertake a full DPIA, the principles of DPIAs can still be applied to highlight where risk mitigations can, and should, be implemented.
3) Help with prevention
- Cyber criminals are looking to take advantage of the pandemic. Phishing and cyber-attacks are exploiting worries about COVID-19. Therefore, it’s helpful to make employees aware of these threats and the importance of keeping personal data safe during the outbreak.
- The ICO’s guidance is that security measures whilst homeworking are expected to be equivalent to those used in 'normal circumstances'. IT and HR departments are likely to be under pressure to facilitate remote working and DPOs have a role to play to help ensure that security of personal data continues to be appropriately considered. For further information, please see our guidance note with practical steps for ensuring data protection compliance and cyber security whilst continuing fulfil obligations to protect the health and safety of employees.
- Where data protection training has previously been provided face-to-face, introducing online modules can be a useful way to maintain awareness of data protection issues.
4) Be ready to respond
- A data incident, such as a cyber-attack or period of system unavailability, may require notification to third-party specialists, advisors or insurers. It is important to have contact information and relevant documents to hand (such as insurance contracts) especially if working remotely.
- Although organisations may already have a data incident response plan in place, it would be worthwhile reviewing this. This is to ensure that it still provides a practical framework for responding to data incidents. Changes may be required, even if only for a temporary period.
5) Keep records
- As organisations make changes to adapt to the challenges that they are facing in the context of COVID-19, it is very important that relevant records are being kept.
- DPOs are well placed to be involved in this documenting process and also remind the wider organisation to maintain records of processing activities, even where this processing or sharing is ad hoc in response to the rapidly changing circumstances.
- Having accurate records of processing will help the organisation to subsequently review and, where necessary, update any measures put in place during this period.
It is understandable that organisations are currently focussed on responding to the operational challenges of the COVID-19 pandemic. Data protection compliance obligations should not necessarily stand in the way of making progress with this. Therefore DPOs, and those involved in data protection compliance more generally, can continue to take steps to help organisations to maintain a proportionate approach to processing personal data.
At Burges Salmon we can assist you with your data protection related queries, including when responding to the unprecedented challenges caused by COVID-19. For more information, please contact our Data Protection team.