The UK data regulator has said it will adopt a lighter touch while organisations weather the economic effects of COVID-19, meaning fewer investigations and reduced fines.
When issuing fines for Data Protection Act 2018 and GDPR breaches, the Information Commissioner’s Office (ICO) will now take into account whether an organisation’s financial difficulties result from the coronavirus crisis.
As such, businesses found to have committed data protection violations may be given longer than usual to rectify breaches that predate the crisis, where the crisis has affected its ability to put things right.
The regulator will also reduce the level of fines it issues, according to fresh guidance, meaning we aren’t likely to fines of the same scale as those levied against British Airways and Marriott last year.
BA and Marriott were each delivered notices of intent to fine £183 million and £99 million in 2019 for data breaches committed after GDPR came into force. The ICO has prolonged the collection of these fines to May 2020, however, after several delays.
“We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures,” said the Information Commissioner Elizabeth Denham. “Against this backdrop, it is right that we must adjust our regulatory approach.
“It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation and supporting the UK as it steps forward in the global economy.”
The COVID-19 pandemic has affected different kinds of organisations in different ways, with many struggling to stay in business, while others are migrating their workforce to remote working patterns.
The data regulator’s intervention suggests it sees its role as one that’s dynamic and responsive to the wider economic situation, and that its priority is not to financially cripple businesses who violate the DPA.
Some things will remain the same, such as a limit of 72 hours being given for organisations to report a data breach, although guidance suggests there may be some leeway, because “the current crisis may impact this”.
When conducting investigations, moreover, the ICO will act in the context of the public health emergency and take into account the financial and staffing impact of the crisis on every business it examines.
Don’t just collect data, innovate with it.
Removing the barriers to the experience economy
In practice, this means a reduction in the use of formal powers to compel organisations to provide evidence, and allowing longer periods for them to respond. The ICO will also conduct fewer investigations overall, focussing its attention instead on those circumstances which suggest serious non-compliance.
In addition, the ICO may not act against organisations that fail to pay or renew data protection fees if this is successfully linked with the economic consequences of COVID-19.
All audit work, meanwhile, has been suspended, and all regulatory action in connection with outstanding information request backlogs has also been paused. Businesses have also given some leeway on fulfilling Subject Access Requests (SARs), with the regulator noting that staff may need to prioritise other work during the crisis.
By watering down these considerations for action, and offering more flexibility for businesses that don’t stick by the rules, however, the ICO leaves itself open to the accusation it’s softening the deterrent against breaching GDPR.
However, global co-head of the privacy and cyber security practice at Hogan Lovells, Eduardo Ustaran, argues the ICO is simply providing reassurance at a time of great uncertainty.
“The ICO is not saying that it will not fulfil its regulatory duties or enforce the law, but that it will take into account the hardships that many organisations are facing when undertaking those duties,” he said.
“It would be a mistake to think that the regulator's words mean that this is a "free for all" scenario and extremely disingenuous of anyone to do so. As ever, data protection law needs to be looked at through the lens of common sense, and today that means taking into account the effect that the coronavirus crisis is having on everything.”
He added it’s clear the ICO won’t stop “doing their job”, and that the organisations will continue to take firm action against those looking to exploit the situation by misusing personal information.
