Data protection in the United Kingdom currently falls under the incidence of the Data Protection Act 2018 (DPA). The DPA was adopted into the UK’s national legislation while the country was still part of the European Union. It was originally drafted as a supplement to the EU’s General Data Protection Regulation (GDPR) that the UK had an obligation to comply with at the time.
Under the European Union (Withdrawal) Act 2018, the text of the GDPR was added to the DPA as a single regime for general processing activities and integrated into UK domestic law to remedy any potential deficiencies arising from the UK’s departure from the EU.
The Information Commissioner’s Office (ICO) is the UK’s independent body tasked with upholding information rights and enforcing DPA compliance. The ICO has been one of the most active Data Protection Authorities in Europe, issuing some of the biggest GDPR fines to date, involving a number of major organizations. In October 2020, the ICO fined British Airways a record-breaking £20 million after it ruled the airline had failed to protect their customers’ personal data. Hotel chain Marriott was fined £18.4 million for the same reasons.
As the COVID-19 pandemic swept the world, the ICO temporarily paused some of its investigations as it refocused its attention and resources on how to best address the new challenges faced by the general public and their sensitive data. It created a Data Protection and Coronavirus Information Hub and issued a series of guidance for organizations about remote work and its updated regulatory approach in response to the pandemic. Let’s take a closer of look at what these mean for businesses and their compliance efforts.
Greater leniency
The good news is that the ICO has emphasized that it will be adopting a more lenient approach to enforcement, taking into account the context organizations are currently operating in and the potential burdens they might face in navigating the present situation. This means that, in accordance with their Regulatory Action Policy, before issuing fines, the ICO will consider economic impact and affordability which will likely lead to lowered fines.
However, that does not give companies a license for noncompliance. The ICO warned that any organizations looking to exploit the public health emergency for their own benefit will be met with firm action on their side.
When deciding whether to take formal regulatory action, the ICO will also take into consideration whether noncompliance resulted due to the COVID-19 pandemic. When a data breach occurs, organizations will be given more time to put things right if the pandemic has impacted the organization’s ability to take steps to rectify the situation and the delay will not cause further risks to the public.
Data breach notifications are still mandatory
The COVID-19 pandemic does not absolve companies from reporting data breaches when they occur. In fact, organizations are still required to notify the ICO within 72 hours after they become aware of a breach.
Devices used while working from home
The ICO dedicated an entire section of its recommendations for organizations to the different approaches companies can adopt when it comes to the devices employees use while working from home. These include using a company-issued device which is deemed the most secure option, personal devices that use company software for work, and using personal devices directly.
The ICO urges organizations to consider the security risks for each option and put mitigation methods in place to avoid data breaches. These include issuing security guidance to employees that should include advice such as keeping software up to date and choosing strong passwords. Employees should also be able to report data breaches internally when they affect devices used for work.
When it comes to company-owned devices, the ICO recommends ensuring that devices can be supported and updated remotely and putting in place mechanisms that prevent data from being transferred outside from a device such as Data Loss Prevention (DLP) solutions. DLP tools can also help organizations prevent personal data from being copied onto insecure personal storage devices such as USB sticks.
In conclusion
While the ICO has taken into account the struggles organizations face under these extraordinary circumstances, they also acknowledge the potential security risks involved in large-scale remote work and have issued guidance accordingly.
While companies can rest assured that, if the pandemic has limited their capacity to comply with DPA requirements, the ICO will be understanding, willful negligence is unlikely to be tolerated or to reduce penalties. Organizations must therefore continue their compliance efforts to the best of their abilities despite the pressures of a global pandemic.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.