Whilst the General Data Protection Regulation (GDPR) is probably the last thing on the mind of business leaders during these extraordinary times of the worldwide Covid-19 pandemic, it should not be completely forgotten given the seismic shift to homeworking.
Written on April 2, 2020 by Xeinadin Group
With significant advances in technology working remotely from the office, whether that be from home or on the go, has never been easier. However, with remote working involving data being transferred over external networks (rather than simply moved between your desktop computer and the server down the corridor) and potentially employees taking personal data home with them (for example hard copy work files) the rules under GDPR still apply but are less easy to monitor and control than in an office based environment.
This means employees need to continue to keep data (including hard copy paper files) safe and secure such that they can’t be accessed by third parties. Employers also need to consider how employees are accessing work information and whether that involves a footprint of data being left on the employees own device at home or mobile device and how that is controlled.
The Information Commissioner’s Office (ICO), based in Wilmslow, has now issued some specific Covid-19 guidance to organisations. This can be accessed here https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/03/covid-19-general-data-protection-advice-for-data-controllers/
Whilst a large part of the guidance focuses on health data and public messaging around Covid-19 (including what you should and should not communicate to your employees if you have a staff member diagnosed with Covid-19) there is some reassurance for businesses/data controllers in that the ICO acknowledges that “resources, whether they are finances or people, might be diverted away from usual compliance or information governance work” and that the ICO won’t “penalise organisations that [the ICO] knows need to prioritise other areas or adapt their usual approach during this extraordinary period”.
The ICO also goes on to state that it “can’t extend statutory timescales, but [the ICO] will tell people through its communication channels that they may experience understandable delays when making information rights requests during the pandemic”.
As such businesses should remember the one month statutory timescale for responding to subject access requests still applies (bearing in mind the possibility of extending this to 3 months in certain circumstances), the fact that the regulator acknowledges there will be delays is something businesses will be relieved to hear during a time where businesses are adapting on a daily basis to new demands and challenges in these unprecedented times.