Skip to main content
Sign up to updates
FIND A LAWYER
ARTICLE

The pandemic and GDPR: what you should do.

An insight into how to mitigate against privacy risks caused by the pandemic. 

How will the pandemic affect your GDPR compliance?

– You must now take steps to minimise transmission and exposure. Personal data is vital to monitor and enforce isolation, trace contacts and test.
– Moving business online increases your reliance on personal data.

What has the ICO said?

In brief, “business as usual” but that they will be pragmatic and flexible in the circumstances. Roughly translated:
– Where you have good compliance measures in place but breach the GDPR due to the pandemic, you are unlikely to be fined.
– Where the pandemic exposes bad compliance practice, you are more likely to be fined.

The following compliance measures are likely to be tested:

(1) Special category personal data (“SCPD”)

Health information is a type of SCPD and you will use more of it. When you collect and use SCPD, you must have an “appropriate policy document” (“APD”) in place. You should amend your APD:

– to reflect the lawful conditions you will rely on (i.e. employment/social protection law, vital interests, public heath and preventative/occupational medicine); and
– to contain a new pandemic-specific retention period (i.e. currently unknown and awaiting further guidance, to be reviewed regularly).

(2) What information can we collect and share?

We recommend the following overview strategy:

– In general, be more cautious than usual as you must prioritise public health, but this isn’t carte blanche to ask excessive or intrusive questions.
– For now, you will likely be fine to ask for confirmation of symptoms, contact with infected individuals or quarantine/self-isolation; recent travel and generalise residence information (to check exposure to infection clusters).
– Share information as necessary, but implement protocols according to the sensitivity of the information. A general warning that an employee has displayed symptoms is you will likely be fine without identifying the employee, but sharing names/health information in individual circumstances (for example sickness / bereavement leave) should be subject to confidentiality, need-to-know and password-access protocols.

(3) Data security breaches are more likely

People are working and interacting online in unprecedented numbers and ways. Systems facilitating this will be stress-tested in ways their designers and operators never anticipated, and we have already seen evidence of cyber criminals circling. Data security breaches, tightly regulated by the GDPR, will occur.

The ICO will expect you to have:

– stress-tested relevant systems (such as remote working software and online payment facilities);
– an effective data security incident policy which sets out to employees how to recognise breaches, who to inform, investigation and mitigation steps, and when to notify the ICO and affected individuals. This is particularly useful: the most common cause of security breach is human error.
– Consider implementing/amending other compliance measures, like information security policies, computer use policies and organisational email policies.

We also recommend reviewing downstream contracts with suppliers processing personal data on your behalf to ensure you are protected against shared data security risks.

(4) Transparency and accuracy

Do your privacy notices (public and employee) account for types of information you now need to collect and ways you now need to use it? Amend if not.

Data accuracy is more important because retaining inaccurate information is harmful not just to individual privacy but also our national response. Review information you store related to the pandemic more often than you normally would to ensure it remains accurate.

(5) Subject access requests

As more individuals are laid off, more individuals are likely to make SARs to find evidence of your non-compliance with very new law. Stress-test your SAR compliance structure, especially for multiple simultaneous requests.

Comply with current SARs as normal, but consider whether you have a genuine need to rely on 2-month compliance extensions in case of complex (i.e. due to depleted resources / prioritisation) or multiple requests or agreeing an informal delay with the requester.

To talk through any of these issues get in touch with Priya Thapar on +44 (0)20 3691 2063 or email pthapar@greenwoodsgrm.co.uk

 

 

Greenwoods Legal LLP is a Limited Liability Partnership, registered in England, registered number OC306912. Our registered office is Queens House, 55-56 Lincoln’s Inn Fields, London, WC2A 3LJ. A list of the members’ names is available for inspection at our offices in Peterborough, Cambridge and London. Authorised and regulated by the Solicitors Regulation Authority, SRA number 401162. Details of the Solicitors’ Codes of Conduct can be found at www.sra.org.uk. All instructions accepted by Greenwoods Legal LLP are subject to our current Terms of Business. VAT Reg No: 161 9287 89.




    By completing and submitting this form, you consent to Greenwoods Legal LLP processing your personal data to provide you with the email update services you have selected and any other materials and information about our services that Greenwoods Legal LLP reasonably believes will be of interest to you. You are free to withdraw your consent at any time by emailing mailinglists@greenwoods.co.uk