Latest Blogs

The stresses and strains placed on organisations during the coronavirus outbreak have been unprecedented. The Information Commissioner’s Office (“ICO”) is aware of this and has produced guidance to help businesses comply with their data protection obligations under GDPR at a time when staffing levels may be reduced and organisations have new, urgent priorities to contend with.

Advice from the ICO can be found on its website – the following is a brief summary of steps organisations should take when dealing with data subject requests, data breaches and data security during the coronavirus outbreak.

Compliance with GDPR – Data subject requests

In normal circumstances, organisations must comply with data subject requests within one month of receipt.

The ICO recognises that it may no longer be feasible for organisations to meet that timescale and has confirmed it will take a reasonable approach in terms of businesses failing to meet timescales or adopting a different process because other issues are being prioritised. The ICO cannot extend statutory timescales but it will let individuals know via the website and through its own communications with data subjects that they may experience understandable delays if they make requests during the pandemic.

The ICO has made it clear that businesses should not use coronavirus as an excuse for delays or failures to comply with GDPR and that all businesses should do what they can to comply with the current timescales.

If you are unable to comply with a data subject request within the statutory timescales, you should notify the data subject as soon as possible. If you are able to do so, you should provide the data subject with an extended date by which you will respond or otherwise be as clear as possible as to when they may expect to receive a response.

Compliance with GDPR – Breach notification

Again, although the ICO is unable to extend the statutory timescales, it will not penalise organisations that fail to report a reportable breach within the usual 72 hour timescale as a result of the impact of the coronavirus pandemic. If you will be unable to notify the ICO within the 72 hour timescale, you should contact the ICO within 72 hours to explain there will be a delay and the ICO will provide you with further advice.

Internal steps to take

If you fail to comply with GDPR as a result of the impact of coronavirus, you should document this internally with the reasons for non-compliance including, for example, absence of employees who are key to ensuring you comply with GDPR such as HR teams, IT and security teams, management roles etc, or a change in priorities within the organisation which mean GDPR requests and data breaches cannot be deal with as efficiently as usual.

Working from home

Organisations should ensure employees are provided with appropriate guidance in terms of keeping personal data secure when working from home. These may differ from the guidance in place relating to data security in the usual working environment. Consider, for example, the following advice:

If you have any questions about ensuring your organisation continues to comply with GDPR during the coronavirus pandemic, or if you would like a free internal process map to help your organisation deal with subject access requests and breaches, please contact Florence Maxwell.


Blog via