Covid-19 has created unprecedented challenges for organisations across the world. Within a short space of time, organisations have had to rapidly set up remote operations, react quickly to new risks, adapt processes, all whilst maintaining GDPR compliance.
As a result of the pandemic, organisations are now collecting and processing new types of information about individuals. Much of this information falls into the categories of ‘personal data’ and ‘special categories of personal data’, both of which are subject to strict compliance requirements under the GDPR.
The rapid transition to remote working has also highlighted the importance of data protection as cybercriminals seek to exploit the pandemic and use it as a means to launch targeted attacks. New Cyber Security risks are emerging all the time so it’s crucial that organisations implement the correct measures needed to maintain the strictest data security that the GDPR requires.
The UK Information Commissioner’s Office (ICO) has said that they understand the difficulties that organisations are currently facing and that they will take a ‘reasonable and pragmatic’ approach to enforcing data protection obligations. However, they’ve made it clear that organisations are still very much expected to maintain a good level of compliance with the GDPR whilst adapting to this new working environment.
To ensure that your organisation remains compliant with the GDPR during Covid-19, we’ve outlined a number of steps you can take.
Top Tips to Achieve GDPR Compliance During Covid-19
1. Conduct a Data Protection Impact Assessment (DPIA)
To comply with the GDPR, you must be able to demonstrate that you are conducting additional recording requirements when processing sensitive data. As health information is classified as a ‘special category of personal data’, it carries a higher risk. One way of demonstrating accountability and ensuring the appropriate measures are in place to protect this data is through a Data Protection Impact Assessment. DPIAs help identify and minimise risks related to personal data processing.
The DPIA should set out:
- The activity being processed
- The data protection risks
- Whether the activity is necessary and proportionate
- How risk will be mitigated
- Confirmation that mitigation has been effective
The DPIA will be crucial to demonstrating compliance and reducing data protection related risks to your organisation.
2. Only Collect and Process What is Necessary
Under the GDPR, organisations must have a specific and legitimate reason for collecting and processing personal information. The data can only be used for specific purposes and must not be processed for any other use, unless the data subject has provided their explicit consent. Any data collected must be limited to only what is necessary to achieve those specific purposes.
This means that your organisation should assess and identify the types of personal data that needs processed in order to keep staff safe. For example, is it necessary to conduct temperature checks as employees enter the office? Should contacts of an employee who tests positive for Covid-19 be notified? Your organisation can’t just collect personal data on the off chance that it might be useful in the future, there must be clear objectives as to why this data is being processed. If you can demonstrate that your approach is reasonable, fair, and proportionate to the circumstances, then it is unlikely to be unlawful.
3. Be Transparent
When processing personal data, you must be open and honest about what you are doing with it. For example, if your organisation needs to implement testing for employees or you have to collect data for contact tracing purposes, you must be transparent and make certain information available to these individuals. Employees have the right to know why you need this data, what you intend to do with it and who you’re going to share it with.
It’s best to have this information written down in a document known as a privacy notice. A privacy notice is one of the key documents you will have to produce if you process personal data, in order to comply with the GDPR. Essentially, it explains how you collect, process, and use people’s data. Your existing privacy notice may already outline what information can be collected and processed during a health crisis, but this may need to be updated to reflect any new data processing activities that are being undertaken during the current Covid-19 pandemic.
4. Keep Information Secure
Any personal data you hold must be kept securely and only held for as long as is necessary. A retention policy will help determine when personal information needs to be reviewed, deleted or disposed of. Physical records should be locked away to prevent data breaches, and appropriate security measures should be in place to secure personal data that is stored digitally.
Despite the rapid transition to remote working, the ICO has stated that organisations should be adopting the same kind of security measures that they would use under normal circumstances. To prevent any personal data breaches and reduce the chance of a costly cyber attack, it’s important you maintain the security of systems, software, and remain vigilant to Coronavirus related cyber threats. Employees will also need to be educated on evolving threats and trained on how to use the new security tools and processes that will enable secure remote working.
Additionally, organisations are still legally bound to disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.
5. Respect the Rights of the Data Subject
Despite operating in exceptional circumstances, it’s crucial your organisation informs individuals about their rights in relation to their personal data. The GDPR provides the following rights for individuals:
- The right to be informed – Individuals have the right to be informed about the collection and use of their personal data.
- The right of access – Individuals have the right to access their personal data and any supplementary information. They can request a copy of all information held on them and it should be provided free of charge and within one month of the request being lodged.
- The right to rectification – Individuals can request that any inaccurate personal data is rectified.
- The right to erasure – Individuals can request to have their personal data erased. The right to erasure is also known as the right to be forgotten.
- The right to restrict processing – In certain circumstances, individuals can request that further processing of their data is restricted. When the processing is restricted, you have permission to store their personal data but not use it.
- The right to data portability – Individuals can obtain and reuse their personal data for their own purposes across other services.
- The right to object – Unless there are legitimate reasons for processing an individual’s personal data, they retain the right to object to processing.
- Rights in relation to automated decision making and profiling – The GDPR has provisions on automated individual decision making. This reduces the risk of any adverse decisions being made without human intervention.
If your organisation has implemented symptom checking or testing, there are additional requirements you will need to follow. These include identifying a lawful basis for using the information you collect and conducting a DPIA if health data is being processed on a large scale.