Data Protection Compliance in Times of Disruption
GDPR compliance becomes more challenging than ever during times of disruption. To maintain data protection compliance you will need to focus and prioritise.
In response to the COVID-19 pandemic, the ICO has been forced to acknowledge that there may be some disruption, e.g. when handling subject access requests.
As you seek to manage the disruption, how can you make sure data protection compliance remains 'top of mind', especially for those working remotely or people who may collect or share health information?
During a time of crisis, your team will inevitably be distracted and unsettled by events around them. As a result, you need to focus on the key priorities and ensure that staff continue to follow data protection 'principles' until the crisis abates.
To help, we've put together a quick list of data protection priorities and how to deal with them.
Key GDPR priorities in times of disruption
- Security & data protection risks for remote workers – Some of your team may work remotely from home, perhaps using their own devices and communications equipment as an interim measure. Data protection laws don't prohibit this. But, make sure that, at a minimum, the same baseline protections, safeguards and security measures continue to be met - for example, by providing an approved remote working solution, equipment with pre-installed security software, etc.
- Think about data security – Wherever your team are working, urge them to take precautions with paper and electronic-based information (e.g. storage in a lockable cabinet). Remind them to be vigilant and protect personal data from unauthorised access (e.g. from family members and occasional visitors such as postal workers), and ensure that others cannot overhear sensitive conversations.
- Privacy by design - If you're setting up teams to work remotely for the first time, be sure to build in 'privacy by design' from the start. At each stage of planning - from where work takes place, to how information is shared and where it will be backed-up, keep assessing data protection and privacy issues so that the right decisions are made.
- Individual rights - Make sure you can continue meeting individual rights, whatever alternative working arrangements are in place throughout the disruption. For example, that requests for rectification or to restrict processing are responded to without undue delay. If physical measures are generally used to action requests (e.g. a physical in-tray, our internal mail, etc.), consider whether to use other channels (e.g. email, intranet) or online collaborative tools instead.
- Data protection principles - Remind your team to continue to follow your policies and procedures. Keep upholding data protection principles. Urge them not to collect more information than is required, and provide them with access to all of the resources they need if they make marketing calls (including 'do not call' lists). Keep communicating your expectations. Share reminders via the intranet or other informal messaging platforms to keep data protection compliance 'top of mind'.
- Managing office visitors and events - You have a duty of care to maintain the safety and well-being of all employees. So, it's reasonable to ask visitors to your office if they have been in contact with anyone with COVID-19 symptoms or if they have recently returned from highly-affected areas. However, to meet the minimisation principle, you should avoid collecting too much information from them. Instead, direct them to read government advice before their visit, and to stay away and self-isolate if they have symptoms.
- Informing your team about other colleagues who have contracted COVID-19 - Again, your approach here needs to be proportionate. If a colleague or customer contracts coronavirus or has symptoms, it is your duty to inform the whole of your team. Data protection laws don't stop you meeting your obligations here. But, you should ensure that the information you pass on is kept to a minimum and if possible, avoid naming them.
- Consider subject access requests - Will your team still have access to all the information and resources they need to respond to data subject requests within one month of receipt? Do you need to make additional preparations to facilitate this (e.g. by uploading information to centralised servers)? The ICO makes it clear that it will not extend the statutory deadline. But if, as a result of the pandemic, companies need to divert resources to other priority areas or change their usual approach, they will not be penalised. In all cases, companies should warn individuals of likely delays when acknowledging the request.
- Sending public health messages and alerts - Communication is vital at times of disruption. You won't need prior consent to send public health-related messages or emergency alerts to your team, suppliers or customers. But, make sure your communications are proportionate and free of direct marketing or promotional information.
- For health bodies and public authorities - Health professionals may use technology to provide online consultations and diagnosis (e.g. video messaging) or share additional information to facilitate this. Data protection laws cover information sharing when there are threats to public health. In all cases, you should ensure your use and sharing is proportionate and that there is a compelling public interest.
- Sharing information with public authorities - In the unlikely event that the government or public health authorities ask you to share information about infected individuals, it is permitted under data protection law.
- Provide ongoing support and advice - Disruptive events can be challenging and cause uncertainty for everyone. So, remember to continue offering data protection advice and support via the usual communications channels. To substitute for the 'water-cooler' experience, create a GDPR forum or hang-out where your team can get advice.
Want to know more about GDPR?
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!