The stresses and strains placed on organisations during the coronavirus outbreak have been unprecedented. The Information Commissioner’s Office (“ICO”) is aware of this and has produced guidance to help businesses comply with their data protection obligations under GDPR at a time when staffing levels may be reduced and organisations have new, urgent priorities to contend with.
Advice from the ICO can be found on its website - the following is a brief summary of steps organisations should take when dealing with data subject requests, data breaches and data security during the coronavirus outbreak.
Compliance with GDPR – Data subject requests
In normal circumstances, organisations must comply with data subject requests within one month of receipt.
The ICO recognises that it may no longer be feasible for organisations to meet that timescale and has confirmed it will take a reasonable approach in terms of businesses failing to meet timescales or adopting a different process because other issues are being prioritised. The ICO cannot extend statutory timescales but it will let individuals know via the website and through its own communications with data subjects that they may experience understandable delays if they make requests during the pandemic.
The ICO has made it clear that businesses should not use coronavirus as an excuse for delays or failures to comply with GDPR and that all businesses should do what they can to comply with the current timescales.
If you are unable to comply with a data subject request within the statutory timescales, you should notify the data subject as soon as possible. If you are able to do so, you should provide the data subject with an extended date by which you will respond or otherwise be as clear as possible as to when they may expect to receive a response.
Compliance with GDPR – Breach notification
Again, although the ICO is unable to extend the statutory timescales, it will not penalise organisations that fail to report a reportable breach within the usual 72 hour timescale as a result of the impact of the coronavirus pandemic. If you will be unable to notify the ICO within the 72 hour timescale, you should contact the ICO within 72 hours to explain there will be a delay and the ICO will provide you with further advice.
Internal steps to take
If you fail to comply with GDPR as a result of the impact of coronavirus, you should document this internally with the reasons for non-compliance including, for example, absence of employees who are key to ensuring you comply with GDPR such as HR teams, IT and security teams, management roles etc, or a change in priorities within the organisation which mean GDPR requests and data breaches cannot be deal with as efficiently as usual.
Working from home
Organisations should ensure employees are provided with appropriate guidance in terms of keeping personal data secure when working from home. These may differ from the guidance in place relating to data security in the usual working environment. Consider, for example, the following advice:
- Continue to take care when sending emails – ensure the email is sent to the correct recipient, that multiple recipients are blind copied rather than copies and that no documents have been erroneously attached to the email;
- Password protect documents if appropriate;
- Limit the number of paper documents that employees will take home with them;
- Ensure employees do not leave documents containing personal data on view to other members of their household;
- Ensure employees tidy away documents when they have finished working on them, storing them in locked drawers or cabinets;
- Ensure employees do not leave documents containing personal data in their cars during the day or overnight;
- Ensure documents are properly destroyed and, if employees are unable to destroy them at home, that the documents are locked away until employees can enter usual working premises to make use of shredders and confidential waste bins. People working from home should not use their household waste or recycling bins for documents containing personal data, even if they feel they have been sufficiently torn up.
If you have any questions about ensuring your organisation continues to comply with GDPR during the coronavirus pandemic, or if you would like a free internal process map to help your organisation deal with subject access requests and breaches, please contact Florence Maxwell.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.