ICO to relax GDPR enforcement during coronavirus economic downturn

Fines for data breaches likely to be much lower until organisations can recover

ICO logo

The UK data regulator has said it will adopt a lighter touch while organisations weather the economic effects of COVID-19, meaning fewer investigations and reduced fines.

When issuing fines for Data Protection Act 2018 and GDPR breaches, the Information Commissioner’s Office (ICO) will now take into account whether an organisation’s financial difficulties result from the coronavirus crisis.

Advertisement - Article continues below

As such, businesses found to have committed data protection violations may be given longer than usual to rectify breaches that predate the crisis, where the crisis has affected its ability to put things right.

The regulator will also reduce the level of fines it issues, according to fresh guidance, meaning we aren’t likely to fines of the same scale as those levied against British Airways and Marriott last year.

BA and Marriott were each delivered notices of intent to fine £183 million and £99 million in 2019 for data breaches committed after GDPR came into force. The ICO has prolonged the collection of these fines to May 2020, however, after several delays.

“We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures,” said the Information Commissioner Elizabeth Denham. “Against this backdrop, it is right that we must adjust our regulatory approach.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

“It is important that we regulate for the time we are in now, but it is important too that we look to the future. Data protection can play a central role in promoting economic growth when we come out of this pandemic: encouraging public trust in innovation and supporting the UK as it steps forward in the global economy.”

The COVID-19 pandemic has affected different kinds of organisations in different ways, with many struggling to stay in business, while others are migrating their workforce to remote working patterns.

The data regulator’s intervention suggests it sees its role as one that’s dynamic and responsive to the wider economic situation, and that its priority is not to financially cripple businesses who violate the DPA.

Some things will remain the same, such as a limit of 72 hours being given for organisations to report a data breach, although guidance suggests there may be some leeway, because “the current crisis may impact this”.

Advertisement - Article continues below

When conducting investigations, moreover, the ICO will act in the context of the public health emergency and take into account the financial and staffing impact of the crisis on every business it examines.

Related Resource

Don’t just collect data, innovate with it.

Removing the barriers to the experience economy

Download now

In practice, this means a reduction in the use of formal powers to compel organisations to provide evidence, and allowing longer periods for them to respond. The ICO will also conduct fewer investigations overall, focussing its attention instead on those circumstances which suggest serious non-compliance.

In addition, the ICO may not act against organisations that fail to pay or renew data protection fees if this is successfully linked with the economic consequences of COVID-19.

All audit work, meanwhile, has been suspended, and all regulatory action in connection with outstanding information request backlogs has also been paused. Businesses have also given some leeway on fulfilling Subject Access Requests (SARs), with the regulator noting that staff may need to prioritise other work during the crisis.

Advertisement - Article continues below

By watering down these considerations for action, and offering more flexibility for businesses that don’t stick by the rules, however, the ICO leaves itself open to the accusation it’s softening the deterrent against breaching GDPR.

However, global co-head of the privacy and cyber security practice at Hogan Lovells, Eduardo Ustaran, argues the ICO is simply providing reassurance at a time of great uncertainty.

“The ICO is not saying that it will not fulfil its regulatory duties or enforce the law, but that it will take into account the hardships that many organisations are facing when undertaking those duties,” he said.

“It would be a mistake to think that the regulator's words mean that this is a "free for all" scenario and extremely disingenuous of anyone to do so. As ever, data protection law needs to be looked at through the lens of common sense, and today that means taking into account the effect that the coronavirus crisis is having on everything.”

He added it’s clear the ICO won’t stop “doing their job”, and that the organisations will continue to take firm action against those looking to exploit the situation by misusing personal information.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/information-commissioner/31751/what-is-the-information-commissioner-s-office-ico
Information Commissioner

What is the Information Commissioner’s Office (ICO)?

15 Apr 2020
Visit/security/privacy/355304/nhs-working-with-apple-google-coronavirus-tracking-app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020