Hello from the Privasee team. We hope that you and your close ones are well and we hope that the current situation eases up shortly.
The ICO has set out regulatory guidance on data compliance during Covid-19. This blog post will address two areas and its implications for SMEs in the UK.
Where do regulators stand?
The ICO is taking an “empathetic and proportionate” regulatory approach towards data practices during the pandemic. This means that they understand other concerns may take precedence over data governance should resources become scarce. However, the ICO will measure practices against a proportionality test - “balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking account of the particular challenges being faced at this time”.
This also means that the accountability principle needs to be complied with. For SMEs, this means “ensuring a good level of understanding and awareness of data protection amongst your staff; implementing comprehensive but proportionate policies and procedures for handling personal data; and keeping records of what you do and why”. The required document to maintain is a Record of Processing Activities (ROPA) that sets out:
- Where the data is being located within the company, both within the UK and abroad;
- What type of data is being stored (under which processing grounds);
- Whose data is being stored;
- How long the data will be stored for;
- A policy that details data subject request management techniques.
The ROPA will contribute to your organisation’s completion of the Data Protection Impact Assessment (DPIA) as the DPIA should be regularly updated to be in line with your organisation’s data management techniques and evolving practices. This document will directly demonstrate how you maintain compliance during Covid-19 and how you are managing issues as an SME.
The ICO has a DPIA template that can be used but the necessary inclusions should be:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
What about COVID-19 specific data?
It is likely that the data you collect in relation to Covid-19 will fall under “personal data” and “special categories of personal data”. The collection of such data should thus comply with the relevant articles under the GDPR, such as the grounds for processing activities, and a ROPA is the best way to manage such risks.
This is because SMEs should first understand the minimum amount of data that needs to be collected in order to meet its purposes. Your organisation may not know how much (or little) data to collect so your DPIA should give you a benchmark for the type and amount of data that needs to be processed accordingly (data minimisation). For example, asking questions with straightforward answers are better than open-ended ones which will give data subjects the opportunity to talk about Covid-19 related issues in detail and potentially give data about other family members or issues outside of the current purposes for collecting their data. This would increase the strain on your organisation in the long term if such data points need to be managed later on.
This is also another key reason why a ROPA should be kept and a DPIA conducted beforehand as this would decrease the time needed in the future of going through various data records and evaluating whether too much data has been collected.
Overall, the new regulatory perspective taken by the ICO is one of empathy and proportionality. Thus, having an easy to view ROPA that would help ease the strain of conducting DPIAs before formal data collection will massively support your SME during Covid-19. It will help you understand the amount of data that needs to be collected from the outset which will further reduce risks of data mismanagement in the future. Once this mechanism has been established, your SME can continue these data compliance practices into the future.
Privasee does not hold the above article to constitute legal advice in any form.
More information can be found on the ICO Website
Sources and other articles