Over the last six months, the ICO has attempted to offer practical advice and support for businesses as they adapt to the various challenges which the Covid-19 pandemic has brought. The regulator is set to continue this supportive approach, but has warned that it will take action against businesses breaching data protection rules in order to take advantage of the current situation.
The ICO acknowledges that many businesses have worked hard to protect personal data. In an open letter to UK businesses, Elizabeth Denham, the Information Commissioner, has promised to continue prioritising offering practical advice to support businesses through the pandemic and its recovery.
That support includes guidance on how artificial intelligence can comply with the law and confirmation of continued support for innovative business ideas through partnerships with other regulators. The ICO also operates a ''regulatory sandbox'', which supports organisations developing innovative products and services using personal data with a clear public benefit.
While several large fines may have hit the headlines in recent times, the Commissioner acknowledges that ''we know that our work alongside organisations, helping you to make changes and improvements to comply with the law, is the most effective way of reducing mistakes and misuse of people’s data.''
That is not to detract from the ICO's stated willingness to bring enforcement proceedings against ''organisations that wilfully ignore the rules, or fail to take responsibility for their actions''. However, businesses that have been victims of cyber-crime, despite doing their best to put in place appropriate technical and organisational measures, may take some comfort from her words.
An updated regulatory approach
At the same time, Ms Denham announced that the ICO has updated its regulatory approach document. This follows a document setting out its regulatory approach, which was released in April this year and updated in July.
Going forward, the ICO's focus will be on:
- Building public confidence in how personal data is used and safeguarded to encourage the public to engage with initiatives to tackle the spread of Covid-19. This will include continued engagement with the public via advice, guidance or tools (such as the ICO sandbox) that the ICO deems will have the most impact in helping public authorities and businesses deal with, or recover from, the crisis.
- Engaging with business and public authorities to better understand how measures implemented to tackle the pandemic may impact on their ability to deal with information rights complaints in a timely manner.
- Taking action against those who look to exploit the public health emergency through nuisance calls or by misusing personal information.
- Developing further regulatory measures aimed at supporting economic growth and recovery.
- Taking proportionate enforcement action, prioritising investigations which the ICO deems present the greatest risk to the public. In doing so, the ICO promises to take into account whether any non-compliance by an organisation results from the Covid-19 pandemic.
The ICO intends to recommence formal regulatory action in respect of outstanding information request backlogs which pre-date Covid-19. Certain of the ICO's data protection investigations are also due to recommence while others will remain paused (and under review).
What does this mean for businesses?
It looks as though the extensive leniency shown by the ICO during the pandemic may gradually be waning.
It will be some time before the ICO returns to its pre-pandemic levels of activity and scrutiny in all areas. The regulator will also remain sympathetic to businesses that genuinely want to do the right thing in relation to personal data but are struggling because of Covid-19 or related economic issues. Nevertheless, the clear message is that organisations should not treat the pandemic as an opportunity to relax their compliance posture.