<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Find a course

    Data Protection Compliance in Times of Disruption

    Published on 16 Mar 2020 by Lynne Callister

    GDPR compliance becomes more challenging than ever during times of disruption. To maintain data protection compliance you will need to focus and prioritise.

    In response to the COVID-19 pandemic, the ICO has been forced to acknowledge that there may be some disruption, e.g. when handling subject access requests

    As you seek to manage the disruption, how can you make sure data protection compliance remains 'top of mind', especially for those working remotely or people who may collect or share health information?

    During a time of crisis, your team will inevitably be distracted and unsettled by events around them. As a result, you need to focus on the key priorities and ensure that staff continue to follow data protection 'principles' until the crisis abates.

    To help, we've put together a quick list of data protection priorities and how to deal with them.

    Key GDPR priorities in times of disruption

    • Security & data protection risks for remote workers – Some of your team may work remotely from home, perhaps using their own devices and communications equipment as an interim measure. Data protection laws don't prohibit this. But, make sure that, at a minimum, the same baseline protections, safeguards and security measures continue to be met - for example, by providing an approved remote working solution, equipment with pre-installed security software, etc.
    • Think about data security – Wherever your team are working, urge them to take precautions with paper and electronic-based information (e.g. storage in a lockable cabinet). Remind them to be vigilant and protect personal data from unauthorised access (e.g. from family members and occasional visitors such as postal workers), and ensure that others cannot overhear sensitive conversations.
    • Privacy by design - If you're setting up teams to work remotely for the first time, be sure to build in 'privacy by design' from the start. At each stage of planning - from where work takes place, to how information is shared and where it will be backed-up, keep assessing data protection and privacy issues so that the right decisions are made.
    • Individual rights - Make sure you can continue meeting individual rights, whatever alternative working arrangements are in place throughout the disruption. For example, that requests for rectification or to restrict processing are responded to without undue delay. If physical measures are generally used to action requests (e.g. a physical in-tray, our internal mail, etc.), consider whether to use other channels (e.g. email, intranet) or online collaborative tools instead.
    • Data protection principles - Remind your team to continue to follow your policies and procedures. Keep upholding data protection principles. Urge them not to collect more information than is required, and provide them with access to all of the resources they need if they make marketing calls (including 'do not call' lists). Keep communicating your expectations. Share reminders via the intranet or other informal messaging platforms to keep data protection compliance 'top of mind'.
      Free GDPR Self Assessment Questionnaire
    • Managing office visitors and events - You have a duty of care to maintain the safety and well-being of all employees. So, it's reasonable to ask visitors to your office if they have been in contact with anyone with COVID-19 symptoms or if they have recently returned from highly-affected areas. However, to meet the minimisation principle, you should avoid collecting too much information from them. Instead, direct them to read government advice before their visit, and to stay away and self-isolate if they have symptoms.
    • Informing your team about other colleagues who have contracted COVID-19 - Again, your approach here needs to be proportionate. If a colleague or customer contracts coronavirus or has symptoms, it is your duty to inform the whole of your team. Data protection laws don't stop you meeting your obligations here. But, you should ensure that the information you pass on is kept to a minimum and if possible, avoid naming them.
    • Consider subject access requests - Will your team still have access to all the information and resources they need to respond to data subject requests within one month of receipt? Do you need to make additional preparations to facilitate this (e.g. by uploading information to centralised servers)? The ICO makes it clear that it will not extend the statutory deadline. But if, as a result of the pandemic, companies need to divert resources to other priority areas or change their usual approach, they will not be penalised. In all cases, companies should warn individuals of likely delays when acknowledging the request.
    • Sending public health messages and alerts - Communication is vital at times of disruption. You won't need prior consent to send public health-related messages or emergency alerts to your team, suppliers or customers. But, make sure your communications are proportionate and free of direct marketing or promotional information.
    • For health bodies and public authorities - Health professionals may use technology to provide online consultations and diagnosis (e.g. video messaging) or share additional information to facilitate this. Data protection laws cover information sharing when there are threats to public health. In all cases, you should ensure your use and sharing is proportionate and that there is a compelling public interest.
    • Sharing information with public authorities - In the unlikely event that the government or public health authorities ask you to share information about infected individuals, it is permitted under data protection law.
    • Provide ongoing support and advice - Disruptive events can be challenging and cause uncertainty for everyone. So, remember to continue offering data protection advice and support via the usual communications channels. To substitute for the 'water-cooler' experience, create a GDPR forum or hang-out where your team can get advice.
      Download your free GDPR Training Presentation

    Want to know more about GDPR?

    As well as 40+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment


    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    8 Tips to Protect Your Employees From Email Phishing

    Criminals often take advantage of a crisis by using phishing emails that appear to come reputable and familiar organisations. We've got some tips to keep your team safe. Email phishing is a technique ...

    Read More
    Working Safely with Display Screen Equipment

    Office work comes risk-free, right?...Wrong! Whether you are in an office or remote-working you need to know how to stay safe when using display screen equipment (DSE). Do you know the risks ...

    Read More
    Compliance Continuity Management (CCM)

    How do you ensure legal and regulatory compliance during times of disruption? We asked our panel of experts for their advice on how to react to the coronavirus pandemic. Disruptive events like this ...

    Read More
    Data Protection Compliance in Times of Disruption

    GDPR compliance becomes more challenging than ever during times of disruption. To maintain data protection compliance you will need to focus and prioritise. In response to the COVID-19 pandemic, the ...

    Read More