COVID-19: What are the key GDPR issues coming out of lockdown?

While the coronavirus crisis is likely to continue to affect businesses and organisations for a considerable period of time to come, with the narrative now changing and lockdown rules beginning to be relaxed, businesses are now planning for the next phase.

GDPR, data privacy and cyber risks may not have been expressly mentioned in recent government briefings, but they are and will remain key risks for business.

So what are the key GDPR issues for business coming out of lockdown? I have set out below some high level thoughts on the main issues that we are seeing.

Views of the ICO

The Information Commissioners Office (ICO), the UK data regulator, has indicated that it is still ‘business as usual’ as far as they are concerned, albeit that they recognise some of the unique challenges that businesses currently face.

They have indicated that their priorities are: (i) protecting the public interest – particularly vulnerable citizens; (ii) enabling responsible data sharing – where sharing is necessary; and (iii) monitoring intrusive and disruptive technology – i.e. protecting privacy whilst enabling innovation, where there is often a difficult balance that needs to be struck (with one of the key talking points being roll out of the NHS tracker app).

Working from home

In the last few weeks with the majority of the working population working from home, and many likely to continue to do so for an extended period of time in the future, the increase of working from home arrangements has brought a variety of new GDPR/data security/cyber risk challenges for businesses.

I think that it is fair to say that due to the speed of change and the truly agile way in which businesses have addressed the practical issues that they have faced, some of these challenges and risks are not yet fully known, understood or have been adequately mitigated or managed.

These risks and challenges will not go away and will continue into our ‘new normality’. So, I would urge all businesses to take some time to consider and carefully address them now.

New technology

Most, if not all, businesses will now be using new systems, technology and engaging with new suppliers as part of their day-to-day operations. A lot of these technologies and arrangements may have been on-boarded at pace, as part of business resilience and continuity arrangements.  However, notwithstanding the speed of change, businesses still have a legal obligation to consider the overall impact, from a data perspective, of any new systems and tech which they embrace. A few questions you may wish to ask yourself here are:

• Do your new suppliers have access (or the capability to access) to your employees’ or customer’s personal data?  If so, then there is a legal requirement under GDPR to consider the privacy risks.
• Have you undertaken adequate data privacy impact assessments and/or a legitimate interest assessment when on-boarding new systems and technology?
• With these new work settings, systems and suppliers, do you know what data your business now holds and where it is held?
• Is it time to conduct a fresh data audit and revisit your records of processing and/or update your data maps?  This is a legal requirement after all.

Policies and procedure

With new ways of working, accessing systems and technology and data processing arrangements, you may also wish to take time to review your own policies and procedures.

Are they still fit for purpose for the new reality and your current ways of working?  Do they need to be updated so that your messaging to your employees, customers and other data subjects reflects the new situation and are transparent and clear?

If not, then you run the risk of claims, enforcement action and fines.

Workplace testing

There has been a lot of coverage about the privacy concerns relating to the NHS’ COVID tracker app: how much data is being captured; how long will the data will be kept for; for what purposes will it be used, who has access to the data?

Employers are also likely to face similar issues and questions from employees, where employers are looking to conduct workplace testing (particularly temperature testing) as part of their response to creating safe working environments for their staff. Testing and the processing of personal and sensitive personal data in relation to employees does raise a number of data privacy questions and considerations.

The ICO has recently published some useful Guidance on Workplace Testing for businesses to consider in situations where an employer wishes to conduct testing in the workplace. The ICO highlights that:

“Data protection law does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. But it does require you to be responsible with people’s personal data and ensure it is handled with care”.

Some of the questions that you may wish to ask here are:

• What is the purpose of the testing and what lawful basis are you relying on for processing test data?
• Have you considered your record keeping requirements and/or undertaken a data protection impact assessment?
• What steps have you taken to ensure that the data collected is adequate, relevant and limited to that which is necessary?
• Who will have access to the data and is it held securely?
• Does your privacy notice address testing and is it transparent and clear to employees how and why their data will be processed?

Compliance with GDPR may not have been at the top of the list of priorities for the majority of businesses and organisations over the last nine weeks, but that does not mean that it should be ignored now.

All businesses and organisations should invest some time to consider, understand and address the data privacy issues and risks that are relevant to them – so at to avoid any potential for data breaches, claims and loss of goodwill and trust that may follow.