The ICO changes tact in enforcing GDPR during Covid-19 crisis – what does it mean for you?

by Richard Onslow

17 Apr 2020

This week the ICO announced how they are changing their approach in the face of the Coronavirus pandemic. The shift to a more flexible application of the GDPR rules is a sensible move by the ICO and will most certainly be welcomed by under-pressure businesses right now. It’s great that they’re looking to support businesses during the Covid-19 crisis and actively working to aid economic growth. But what are the main changes we’ll see and what does this mean for you and your business?


How is the ICO changing their approach to GDPR?

The ICO recognises that most organisations are under great strain right now, suffering from staff shortages and the need to respond to new and immediate demands.

GDPR compliance

Ability to deal with many aspects of the GDPR will be greatly reduced, from responding to Data Subject Access Requests, dealing with data breaches and working on general data privacy projects and processes.

Therefore, they’ll be focusing their efforts on the instances of serious non-compliance that pose the “most serious challenges and greatest threats to the public”. They’ll be doing less investigations overall those they do carry out will be done empathetically and pragmatically in light of the public health emergency.

They will also be providing advice and fast-tracking tools and guidance that help businesses deal with, and recover from, the Covid-19 crisis.

What does it mean for you?

People still have rights over their own data and, as far as you can, you should still be doing everything possible to keep their data secure, protect their privacy and ensure you have the right consent for any communications. However, there are several ways the new changes may mean things will become a little easier.

  • Data Sharing: You’ll be allowed greater flexibility to share information to respond to the Covid-19 crisis. For example, data can be shared to underpin relevant healthcare initiatives, like alerting authorities of vulnerable self-isolating residents who need support.
  • Reporting data breaches: You’ll still need to safeguard individual’s personal information and report data breaches in a timely manner. However, the ICO admit the ability to report within the strict 72-hour time period may be affected for some.
  • Data Subject Access Requests: Whilst the timescales for responding to a data subject access request (DSAR) remain unchanged, the public will be asked to wait longer than usual for a response. This will give you the time to collate the information if you’re struggling with staff shortages or issues with access to data systems when home working.
  • Investigations: If you come under investigation, the ICO will consider the public health emergency and the impact it’s had on your organisation. They will look to understand your individual circumstances and give you longer to respond to any requests for evidence and put right any breaches. But be warned, any business deliberately taking advantage of the looser regulation will be face firm and strong action.
  • Freedom of Information (FOI) requests: They understand that there has been a need to take fast decision making to use data innovatively to respond to the pandemic and they’re allowing a lot of flexibility in terms of complying with FOI requests during the pandemic and the length of time needed to do so. They are working with companies on an individual basis to understand when and how requests can be complied it so it’s worth being upfront with them about any factors affecting your ability to comply.

In summary

Across the board, they seem to be applying a common-sense, flexible and empathetic approach to many aspects of compliance and are treating each case individually. This is really encouraging as it will provide some much-needed breathing space for businesses pushed for resource.


And after the storm?

Before the outbreak of the Coronavirus pandemic, concerns over GDPR had many organisations into a state of operational paralysis. A fine of £20m or 4% of turnover is enough of an axe hanging over people’s heads to discourage activity for fear of falling foul of the rules. As we’ve seen in many industries over the past few weeks, rules can be bent and applied more sensibly to allow us to work together and get the job done.

Perhaps, when we’re out the other side, some of our more common-sense approaches to what can and can’t be done endure for the long term. In terms of the ICO, their move to a more understanding and fair approach to GDPR compliance is great but it would be even better to see it maintained to some degree once it’s all over. For the benefit of our citizens and society as a whole, it would be particularly encouraging if we can remain positive and flexible towards data sharing.


Find out about how we can support your GDPR compliance >>