ICO adapts its approach in light of COVID-19

The new guidance demonstrates that the ICO intends to exercise the flexibility afforded to it by the law, by adopting a pragmatic and empathetic approach to its regulatory role.

The UK regulator has acknowledged that the ongoing public health emergency has meant that many organisations are facing staff and resource shortages, alongside financial pressures. Public and health authorities have also had to reallocate resources in response to growing pressure from the frontlines.

In response, the ICO’s approach to regulatory action will follow the theme of reasonableness, empathy, and pragmatism; the ICO will act proportionately, balancing the benefit to the public of regulatory action, against the potential detrimental effect of doing so, whilst always having an eye to the challenges faced by many organisations at this time.

Key examples of the ICO’s adapted approach include the following:

• Data Breach Notifications - Although organisations should continue to report personal data breaches within 72 hours of becoming aware, the ICO will take into account that the crisis may impact an organisation’s ability to respond.

• Fewer Fines - In deciding whether to take formal regulatory action, such as issuing fines, the ICO will consider whether the organisation’s difficulties stem from the COVID-19 crisis, and may give organisations longer than usual to rectify any breaches which predate the crisis.

• Reduced fines - We may see reduced levels of fines, as the ICO will consider the economic impact of the ongoing crisis on organisations.

• Formal investigations - Although it will still conduct investigations into serious non-compliance, the ICO may be less stringent in requiring evidence, and may give organisations more time to respond.

• Subject Access Requests - The ICO cannot extend statutory deadlines, but it recognises that many organisations will be operating with reduced staff and resources, which may impact their ability to respond to Subject Access Requests. To account for this, the ICO will bear it in mind when considering enforcement actions, and won’t penalise organisations who have had to reprioritise as a result of the crisis.

Whilst acknowledging the continued important role of people’s information rights, the ICO has said that it is keen to ensure that the legislation it oversees and enforces does not prevent organisations from taking steps which are necessary to keep the public safe and supported.

However, this is no excuse for organisations to put data protection compliance on the back burner - the ICO has made clear that it will take firm action against any organisation seeking to exploit the current situation by breaching data protection laws.

To read more about the ICO’s response to the COVID-19 global pandemic, see our previous article here.