UK ICO issues COVID-19 guidance for data protection regulation enforcement

UK’s data protection regulator promises to be flexible to affected organizations but firm on those using it as an excuse not to follow compliance requirements.

Melpomenem / Getty Images

The COVID-19 pandemic has put many organizations under extreme financial and operational pressure. As a result, the UK data regulator, the Information Commissioner’s Office (ICO), promises to be mindful of that when it comes to enforcing data protection rules.

The ICO issued new guidance on how it plans to regulate organizations during the coronavirus pandemic. The regulator promises to be flexible in its approach and take the potential economic or resource burden its actions could place on organisations. At the same time, however, it warns that it will take “firm action” against organisations looking to exploit this public health emergency.

“We will still be maintaining our statutory functions, including dealing with complaints and investigating data breach reports,” Elizabeth Denham, UK information commissioner, said in a recent statement.

Data protection regulation enforcement during COVID-19

In the new document, the ICO outlines how it plans to adapt its regulatory approach during the COVID-19 pandemic. It acknowledges that organisations are facing staff and operating capacity shortages and many businesses are facing difficult financial situations.

“The ICO has publicly committed to an ‘empathetic and pragmatic approach’ to enforcement” says Tim Hickman, data privacy and data protection lawyer at White and Case. “This appears to mean that the ICO will be more understanding of businesses that are doing their best but currently struggling to satisfy their GDPR compliance obligations.”

The ICO appears to be relaxing its approach to certain requirements, Hickman adds. “For example, the ICO has acknowledged that the current crisis may impact the ability of businesses to report data breaches within the 72-hour deadline stipulated in the GDPR. The ICO has also suspended its audit work in recognition of the fact that conducting audits is not currently feasible, and recognised that some businesses may face delays in giving effect to requests from data subjects, or paying any fees owed to the ICO.”

In its new guidance, the ICO says that:

  • Organizations should still look to report data breaches within 72 hours of the becoming aware of the incident, but the ICO acknowledges the crisis may make this more difficult and will take an “appropriately empathetic and proportionate approach” to assessing reports.
  • The ICO has stood down its audit work, will conduct fewer investigations, and plans to reduce use of powers that compel organisations to provide evidence. The ICO says it will focus more on “circumstances which suggest serious non-compliance.”
  • When deciding on taking action against an organisation – including the issuing of fines – the ICO promises to take into account whether the company’s difficulties are a result of the crisis, and if there are plans in place to rectify those issues after the crisis ends.
  • If fines are issued, the economic impact and affordability considerations may mean fines are smaller due to the difficult financial situation for many businesses.
  • Organisations may be given more leeway to remediate and rectify any breaches that predate the crisis if the pandemic has impacted its ability to put those plans into action.
  • The ICO may permit the delay of the data protection fee if organizations can provide evidence that this is specifically due to economic reasons linked to COVID-19 and provide assurance of the timescale in which payment will be made.

ICO to be firm with those who exploit the crisis

The report also warns that any easing of enforcement only applies to organisations that have genuinely been affected by the pandemic and will not be forgiving to those using it as an excuse. “We will take a strong regulatory approach against any organisations breaching data protection laws to take advantage of the current crisis,” warned the document.

“In effect, the ICO appears to be saying that where businesses are making genuine efforts to comply, but are unable to meet the usual statutory deadlines due to the current circumstances, the ICO will be understanding and it is unlikely that those businesses will face enforcement measures,” says Hickman. “However, the ICO has also been clear that it will take ‘firm action’ against anyone looking to exploit the current circumstances. In particular, the ICO noted that it is targeting those who engage in nuisance calls and misuses of personal data.”

In the current situation, law firm Dentons advises organizations to be proactive both in asking for any delays of breach reporting details (and be mindful of whether it’s appropriate for the situation) and around informing the ICO of the impact of the COVID-19 crisis on their organisation if they are currently under investigation, and also use the current suspension of ICO audits to carry out internal audits and remediate any issues before the ICO resumes their work.

The crisis may also lead to the delaying of previously announced fines. Earlier in the year, the ICO agreed to delay the final issuing of fines to BA and others while the companies made their case for reduced punishment. The final decision on the £183 million fine to BA was due in January 2020 but was postponed to March before the ICO said it would provide further extensions of the regulatory process until May 18 for BA.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)