Client Alert: ICO issues regulatory approach to data protection and COVID-19

Client Alert: ICO issues regulatory approach to data protection and COVID-19


The UK’s Information Commissioner’s Office (ICO) has just released new guidance about its regulatory approach to COVID-19. This article sets out the highlights.

What’s this all about?

In light of challenges faced by organisations because of COVID-19, the ICO has issued a statement entitled ‘How we will regulate during coronavirus’ (‘the statement’) accompanied by guidance entitled ‘The ICO’s regulatory approach during the coronavirus public health emergency’ (‘the guidance’).

The statement

The theme of the ICO’s approach is set out in the statement where, amongst other things, the Commissioner says the following:

  • “We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach. […] A principle underpinning data protection law is that the processing of personal data should be designed to serve mankind. Right now, that means the regulator reflecting these exceptional times, and showing the flexibility that the law allows.”

The guidance

The guidance states that the ICO is “committed to an empathetic and pragmatic approach, and will demonstrate this through [its] actions” including focussing its “efforts on the most serious challenges and greatest threats to the public” and taking “firm action against those looking to exploit the public health emergency […] by misusing personal information”.

In a list of issues under the heading “Engagement with the public and organisations” the guidance states that, amongst other things, the ICO:

  • “[…] will review the economic and resource impact of any new guidance. We will delay any specific guidance that could impose a burden that diverts staff from frontline duties, except where it is needed to address a high risk to the public”; and,
  • “When handling the public’s complaints about organisations, our approach will take into account the impact of the crisis. This may mean we resolve the complaint without contacting an organisation, for example if it is focussing its resources on the coronavirus frontline, or that we give it longer than usual to respond or to rectify any breaches associated with delay if it is recovering its service and gradually improving timescales.”

Under the heading “Regulatory action” the guidance states that the ICO will “[…] continue to act proportionately, balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking into account the particular challenges being faced at this time” and lists the following:

  1. “Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.
  2. When we conduct investigations, we will act knowing there is a public health emergency and seek to understand the individual challenges faced by organisations. We will take into account the particular impact of the crisis on that organisation. This may mean less use of formal powers that require organisations to provide us with evidence, and allowing longer periods to respond. We also expect to conduct fewer investigations, focussing our attention on those circumstances which suggest serious non-compliance.
  3. We will take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis.
  4. We have stood down our audit work, recognising the economic impact on organisations and the travel and contact restrictions now in force.
  5. In deciding whether to take formal regulatory action, including issuing fines, we will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right.
  6. All formal regulatory action in connection with outstanding information request backlogs will be suspended.
  7. As set out in the Regulatory Action Policy, before issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduces.
  8. We may not enforce against organisations who fail to pay or renew their data protection fee, if they can evidence that this is specifically due to economic reasons linked to the present situation, and provided we are adequately assured as to the timescale within which payment will be made.
  9. We will recognise that the reduction in organisations’ resources could impact their ability to respond to Subject Access Requests, where they need to prioritise other work due to the current crisis. We can take this into account when considering whether to impose any formal enforcement action.”

What is the guidance in other countries?

We have looked at guidance in more than 35 other countries in our Coronavirus (COVID-19) & Data Protection FAQs. The FAQs also have guidance on a wide range of related topics including working from home. You can read that guidance here

What does this mean for existing cases?

As we’ve said before the ICO has a number of big investigations on at the moment. We’ve already written about the delays in the British Airways and Marriott data breach investigations (see here We’re now expecting news of the BA investigation in May and the Marriott investigation in June. Given the struggles both organisations face currently, as we’ve said previously, it might well be the case that we’ll see significant reductions in the eventual fines for both companies from the headline figures in last year’s Notices of Intent.

What are the takeaways?

Although the ICO may appear to be adopting a more flexible approach to regulatory action because of COVID-19, despite the significant challenges that many organisations are currently facing, this doesn’t mean that they should relax too much – the ICO’s latest guidance is not a get-out-of-jail card. Most notably, organisations should still aim to notify data breaches within 72 hours (and in the process also avoid risking sanctions for late notification) and also communicate breaches to affected individuals without undue delay; don’t forget that there are also other issues at stake including reputation. Organisations should always bear in mind that guidance is only guidance – in a given matter the ICO might adopt a different approach, as also might a court. Finally, the guidance also serves as a reminder of the legal requirement for organisations to register with the ICO.


Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:

  • Detailed guidance on the security aspects of GDPR in paper and on film;
  • A template data breach log;
  • A template data breach plan; and,
  • A template data breach reporting form.

For information about our Breach Navigator tool please see here:

The ICO’s statement and guidance can be found here:

We report about data protection issues here:

For more about GDPR please also see our GDPR FAQs which can be found here: and our Data Protection Glossary which can be found here:

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Related Articles:
Latest Articles:
About the author:

Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counselled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multi-national corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).

Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and appeared on BBC News 24 as the studio guest on the Walport Review.

In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, the Middle East and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology, risk and governance matters for more than 20 years. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.

Jonathan is a Solicitor of the Senior Courts of England & Wales. In addition Jonathan is admitted as a Solicitor (non-practising) in Ireland.