ICO to relax GDPR enforcement during coronavirus economic downturn

Fines for data breaches likely to be much lower until organisations can recover

ICO logo

The UK data regulator has said it will adopt a lighter touch while organisations weather the economic effects of COVID-19, meaning fewer investigations and reduced fines.

When issuing fines for Data Protection Act 2018 and GDPR breaches, the Information Commissioner’s Office (ICO) will now take into account whether an organisation’s financial difficulties result from the coronavirus crisis.

As such, businesses found to have committed data protection violations may be given longer than usual to rectify breaches that predate the crisis, where the crisis has affected its ability to put things right.

The regulator will also reduce the level of fines it issues, according to fresh guidance, meaning we aren’t likely to fines of the same scale as those levied against British Airways and Marriott last year.

BA and Marriott were each delivered notices of intent to fine £183 million and £99 million in 2019 for data breaches committed after GDPR came into force. The ICO has prolonged the collection of these fines to May 2020, however, after several delays.

“We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures,” said the Information Commissioner Elizabeth Denham. “Against this backdrop, it is right that we must adjust our regulatory approach.

“It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation and supporting the UK as it steps forward in the global economy.”

The COVID-19 pandemic has affected different kinds of organisations in different ways, with many struggling to stay in business, while others are migrating their workforce to remote working patterns.

The data regulator’s intervention suggests it sees its role as one that’s dynamic and responsive to the wider economic situation, and that its priority is not to financially cripple businesses who violate the DPA.

Some things will remain the same, such as a limit of 72 hours being given for organisations to report a data breach, although guidance suggests there may be some leeway, because “the current crisis may impact this”.

When conducting investigations, moreover, the ICO will act in the context of the public health emergency and take into account the financial and staffing impact of the crisis on every business it examines.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

In practice, this means a reduction in the use of formal powers to compel organisations to provide evidence, and allowing longer periods for them to respond. The ICO will also conduct fewer investigations overall, focussing its attention instead on those circumstances which suggest serious non-compliance.

In addition, the ICO may not act against organisations that fail to pay or renew data protection fees if this is successfully linked with the economic consequences of COVID-19.

All audit work, meanwhile, has been suspended, and all regulatory action in connection with outstanding information request backlogs has also been paused. Businesses have also given some leeway on fulfilling Subject Access Requests (SARs), with the regulator noting that staff may need to prioritise other work during the crisis.

By watering down these considerations for action, and offering more flexibility for businesses that don’t stick by the rules, however, the ICO leaves itself open to the accusation it’s softening the deterrent against breaching GDPR.

However, global co-head of the privacy and cyber security practice at Hogan Lovells, Eduardo Ustaran, argues the ICO is simply providing reassurance at a time of great uncertainty.

“The ICO is not saying that it will not fulfil its regulatory duties or enforce the law, but that it will take into account the hardships that many organisations are facing when undertaking those duties,” he said.

“It would be a mistake to think that the regulator's words mean that this is a "free for all" scenario and extremely disingenuous of anyone to do so. As ever, data protection law needs to be looked at through the lens of common sense, and today that means taking into account the effect that the coronavirus crisis is having on everything.”

He added it’s clear the ICO won’t stop “doing their job”, and that the organisations will continue to take firm action against those looking to exploit the situation by misusing personal information.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
MPs turn on the ICO over contact-tracing fiasco
Information Commissioner

MPs turn on the ICO over contact-tracing fiasco

21 Aug 2020
What is the Information Commissioner’s Office (ICO)?
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

15 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020