Data protection regulation during the pandemic

The information commissioner has published a new document explaining the regulator’s approach during the COVID-19 emergency.

What does the regulator’s guidance tell us?

The document includes some important guidance about how the regulator will use its powers during the pandemic:

• the regulator will focus its efforts on ‘the most serious challenges and greatest threats to the public’;
• the regulator will be flexible in its approach and take into account the potential economic or resource burden that its actions could place on organisations; and
• the regulator will take firm action against those who misuse personal data to try to take advantage of the pandemic.

The regulator’s new approach seems to recognise that during the pandemic some organisations will not be able to dedicate the same resources to data protection that they usually would.

This new guidance expands on the initial statement the regulator put out in March 2020.

What does this mean for data protection compliance?

This will be particularly relevant to organisations dealing with things like data subject requests, and investigating personal data breaches, both of which are often resource-intensive.

The regulator cannot change the legal time limits for doing those things, but organisations are likely to get a more sympathetic response than they usually would if they struggle to meet the deadlines due to the pandemic.

Organisations that are seeking extensions to time limits or in danger of missing deadlines should keep records of the reasons, particularly if they relate to the pandemic. This should help demonstrate to the regulator that the organisation has done the best it can.

You can find the regulator’s new guidance here.