Given the COVID-19 crisis, it is likely that data protection may no longer at the forefront of every controller’s mind, and rather, that business continuity has taken precedence. Acknowledging this shift and the need for companies to divert business as usual resources to their response to the crisis, the ICO has published two articles on its website, which are aimed at both controllers and data subjects more widely.
In its posts, the ICO acknowledges that whilst it cannot extend statutory timeframes for responses to DSARs, it does accept that as controllers re-focus their resources and have competing priorities, the ICO “won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”. In addition, the ICO has also published blog post aimed at data subjects confirming that if they have submitted either a freedom of information request or a subject access request, that they should expect delays before receiving a response. Both of these publications should re-assure controllers that the ICO will not be lurking with a 4% of annual turnover fine for entities who did not have the resources to respond to DSARs within the 30 day time limit. Although this should not be considered a ‘get out of jail free’ card for controllers to enable them to completely ignore their GDPR obligations.
Notwithstanding this leniency with respect to DSAR responses, with large-scale remote working now in place, the ICO has taken the opportunity to remind controllers that they are still required to ensure that they have adequate technical and organisational security measures in place and that these are expected to be “the same kinds of security measures for homeworking that [controllers would] use in normal circumstances”.
For a briefing on the measures taken by governments and regulators around the world with respect to data protection, see our post on the tension between public health in the COVID-19 crisis and data protection.