The ICO has published an Open Letter to UK organisations, as well as updating its Regulatory Approach (the ICO first published its regulatory approach in response to COVID-19 in April, and updated this in July).
The ICO has noted the update to its Regulatory Approach is a step towards returning to its approach before COVID-19, but with caveats and exceptions which reflect the current circumstances. The ICO has reiterated that its “pragmatic approach and commitment to supporting” organisations and protecting people’s information rights has not changed.
What is clear from this updated approach is that the ICO is restarting certain activities that were paused earlier in the year, and that the ICO’s expectations regarding compliance with data protection law is now similar to how the ICO expected such compliance before the pandemic, although there are certain exceptions and caveats to this.
Key points from the updated Regulatory Approach include:
- Where organisations have a backlog of complaints, the ICO expects them to have a robust recovery plan in place to ensure these backlogs are reduced within a reasonable timeframe;
- The ICO will continue to proactively engage with businesses to better understand how measures implemented to address the pandemic can impact their ability to deal with complaints in a timely manner;
- The ICO is recommencing its formal regulatory action in connection with outstanding information request backlogs by organisations that pre-date the pandemic;
- The ICO expects organisations to report personal data breaches within the 72 hour requirement under the GDPR, and has removed reference from the previous version of its Regulatory Approach to “acknowledging the current crisis may impact this”. Clearly the expectation is that breach reporting practices should return to normal;
- The ICO is prioritising investigations which present the greatest harm to the public and work that is directly related to response to the pandemic. The ICO will recommence some investigations that were initially paused at the start of the public health emergency and keep under review the small number of investigations that are continuing to be paused;
- The ICO previously announced in May that it was pausing its investigation work into real time bidding and AdTech. The ICO has noted it is keeping this work under regular review and will publish a separate update on this in due course.
We have updated our regulatory approach document today, informed by what you are telling us about your own capacity. It is another step towards returning to our approach before COVID-19, but with the caveats and exceptions that reflect today’s reality. What does not change is our pragmatic approach and commitment to supporting your organisation to protect people’s information rights. That has been our approach throughout my time as Information Commissioner, and will continue when my five year term comes to an end in July 2021.