On March 12, 2020, the Information Commissioner’s Office (ICO), the U.K.’s data protection authority (DPA), published Guidance for data controllers on their data protection compliance obligations during the COVID-19 pandemic. The take-away point is that the ICO will take into account “the compelling public interest in the current health emergency” and will take a “reasonable and pragmatic” approach to enforcing data protection obligations. In light of this Guidance, the question of what particular steps are proportionate, in terms of General Data Protection Regulation (GDPR) compliance, will be of increasing importance while organizations and individuals navigate the pandemic.
The ICO states that it does not operate in isolation from matters of serious public concern. It recognizes the unprecedented challenges faced by data controllers as well as by society at large during the pandemic, and acknowledges the potential needs of organizations to share information quickly or adapt the way in which they work at short notice. The Guidance provides answers to six frequently asked questions about compliance with the GDPR during the COVID-19 pandemic, as summarized below.
Reasonable and Pragmatic Approach by UK’s ICO to GDPR Compliance during the COVID-19 Pandemic.