Our Resolve. Your Resolution.

News and Events

Are Data Protection rules being eased during the Covid-19 restrictions?

View profile for Matt Rowley
  • Posted
  • Author
Are Data Protection rules being eased during the Covid-19 restrictions?

While not at the forefront of the minds of most business owners in these difficult times, regulatory compliance provides a further challenge as businesses adapt their products and services, their methods of delivery and their working practices. With regards to data protection compliance, for many small businesses, key changes are adjustments to large scale home working; distance selling (taking orders over the telephone, by email or via social media and websites); and to considerations around health monitoring and screening of personnel and customers.                                                                                      

The Information Commissioners Office (the ICO), responsible in the UK for data protection issues and ensuring compliance with the General Data Protection Regulation has been very clear that, while it will continue to work to act in the public interest, it ‘will remain pragmatic and proportionate’ and specifically take into account the struggles that businesses are having in relation to data protection. In its publication ‘Coronavirus Recovery – guidance for organisations’ the ICO makes it clear that data protection should not prevent businesses sharing information quickly and adapting the way they work. The ICO has specifically confirmed that it will take a sympathetic view of businesses working hard but struggling to meet their ‘usual standards’ and taking longer to comply with information rights requests.

However the ICO cannot change the statutory timescales such as the 72 hours for reporting serious data breaches and will still take action against businesses flouting their obligations with regards to data protection. The ICO has reiterated that organisations should be looking at documenting thought processes about changes to the way they deal with personal data through proportionate ‘data protection impact assessments’ (DPIAs). These should be done before and as part of the planning process and should be documented as soon as possible.

The ICO highlights the risks of home working and, in particular, the increased risks of human error as one particular risk factor that organisations should be recognising and putting procedures in place to mitigate.

As businesses settle into ‘new normal’ ways of working or planning for recovery they should be:

  • Focusing on the success of their businesses and not feel held back by data protection as long as they protect the fundamental rights of the public
  • Completing proportionate risk assessments (DPIAs) in respect of changes to working policies and practices
  • Continuing to ensure proper training and supervision of individuals in ways that develop a culture that puts data protection as a key priority and encourages self-reporting and transparency

If you have any questions about your data protection obligations or rights or need help with demonstrating your commitment to data protection, please contact our regulatory compliance specialists.

Our articles are intended for general information purposes only and are not a substitute for professional advice tailored to your specific circumstances. We are always very happy to discuss any plans, issues or concerns you may have and to clarify how we might be able to help. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.