ICO takes a step back in enforcement due to Coronavirus challenges

The ICO will be slightly more lenient in its regulatory action during the pandemic, as so many organisations are shifting resources to deal with the crisis.

When issuing fines, the ICO will consider any difficulties the organisation has experienced due to the pandemic. It will also look at economic impact and affordability, which is likely to result in smaller fines.

“We recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests, where they need to prioritise other work due to the current crisis. We can take this into account when considering whether to impose any formal enforcement action.”

However, organisations should still report data breaches within 72 hours of the organisation becoming aware of the breach. The ICO says that they acknowledge there may be delays. “We will take into account the particular impact of the crisis on that organisation. This may mean less use of formal powers that require organisations to provide us with evidence and allowing longer periods to respond,” the ICO says is its regulatory action guidance issued today.

Any organisation seeking to exploit the current situation by breaching data protection laws will be faced with a strong regulatory approach.

See The ICO’s regulatory approach during the coronavirus public health emergency.