In her blog published alongside the updated guidance, the Information Commissioner, Elizabeth Denham recognised that it was especially important that their office adjust their regulatory approach to reflect the extraordinary times. She noted that the pandemic had brought real pressures on organisations and individuals and that it was right for the ICO to respond pragmatically and empathetically.
The guidance recognises that many organisations are facing staff and operating capacity shortages as well as acute financial pressures and that some specific employers are facing front-line pressures and re-deploying resources to meet those demands. While the ICO cannot change the requirements or timescales imposed by GDPR, the guidance advises that the law does gives the ICO flexibility around how it carries out its regulatory role.
As well as committing to assist front-line employers in providing fast-tracked advice and guidance they might need in relation to any data protection queries, the guidance sets out a number of specific ways in which the ICO will engage with employers over this challenging period.
For example, the ICO states that in dealing with complaints from members of the public, it will take into account the impact of the crisis. The guidance suggests this might include providing practical support to the public on the exercise of their rights, such as advising individuals to wait longer than is usual and to “bear with” organisations.
In some cases, the guidance indicates this might mean the ICO resolving a complaint without contacting the employer where, for example, it is focusing its resources on COVID-19 or in other cases it might mean giving the employer a longer period of time than usual to respond or rectify any breaches associated with delay.
So far as formal regulatory action is concerned, a proportionate response is promised balancing the benefit to the public of taking action, with the potential detrimental effect of doing so, taking into account any particular challenges being faced. While organisations must continue to report any personal data breaches without undue delay (and within 72 hours of becoming aware of the breach), the ICO recognises that the current crisis might impact this.
In relation to subject access requests, which is a likely a key area of concern for employers with HR staff often working from home and overwhelmed with furlough and restructuring priorities, the guidance also indicates such matters are likely to be taken into account. In particular, the guidance states that a reduction in resources impacting an ability to respond to a SAR where other work requires to be prioritised for the time being, would be taken into account in considering whether to impose any formal enforcement action.
In deciding whether to take such action, including imposing fines, the ICO will consider if the difficulties arose from the pandemic and if the employer has plans to put things right at the end of the crisis. Any fines imposed would take into account the economic impact and affordability, which it is stated in current circumstances, is likely to mean the level of fines reduce.
Instead, the ICO indicates that it intends to focus its attention on the cases which suggest a more serious non-compliance. In particular, it warns that it will take strong action against any organisation breaching data protection laws to take advantage of the current crisis. Nor will this guidance remain in placed indefinitely – with the ICO indicating it will be kept under review and updated as may be appropriate.
While the guidance is undoubtedly welcome, we would strongly advise all employers to comply wherever possible with GDPR requirements and timescales, rather than relying on any expectation of leniency for a breach. However, where some unavoidable delay does takes place, this guidance should provide some degree of reassurance that any mitigating factors arising from COVID-19 should be taken into account.
Alan Delaney is a legal director in the employment law team at Morton Fraser