Man in mask using mobile showing how business should continue their GDPR privacy compliance programs during COVID-19

COVID-19 and GDPR: Organizational Considerations for Business Continuity of Privacy Compliance Programs

Businesses are facing new and exceptional challenges in connection with the COVID-19 outbreak. In times of uncertainty, ensuring the ongoing availability of resources within an organization is important to limit disruption to daily business operations and maintain appropriate internal governance. This article discusses key steps businesses may consider taking to ensure the business continuity of their privacy compliance programs during the COVID-19 pandemic.

Leadership and oversight

To handle a crisis effectively, it is important that senior leadership and their support functions remain available and that there is a back-up plan in case they cannot continue their oversight. These essential parties and functions can include the general counsel office, the chief privacy officer’s team, the data protection officer’s team, the incident response team, and procurement and vendor management functions.

In addition, employees should know who to contact for data protection review of products and services in the event key individuals or the data protection officer become unavailable.

Organizations should consider maintaining an inventory of leadership and senior management with data protection responsibilities, relevant review teams, their current contact details, availabilities, replacements and media where key business information and correspondence is stored, in case someone becomes temporarily unavailable. This will help with obtaining approvals, issuing notifications and making decisions regarding the processing of personal data in connection with product updates or employee privacy issues as business operations continue amidst the pandemic.

Accountability and escalation process

While employees are working from their home offices and business meetings are held remotely, the company’s accountability with respect to the processing of personal data should not fall through the cracks.

For example, knowing how and by whom data protection impact assessments (DPIAs) will continue to be conducted and having in place a process for maintaining records of current data processing activities are both important. Furthermore, the relevant teams should know how high-risk privacy matters should be escalated internally if required for making decisions during an emergency event.

Data subject requests

Companies likely will continue to receive requests from data subjects exercising their data protection rights under the GDPR, such as their rights of access to or deletion of their personal data. From an operational perspective, it is important to consider how the company will handle data subject rights requests during the pandemic.

The GDPR requires companies to assess and respond to such requests within one month of receiving the request, but it permits an extension by two further months where necessary, taking into account the complexity and number of requests. If an extension is required, the company should communicate the reason for requesting the extension to the data subject and document the reasons the company is unable to meet the statutory timelines.

At this time, data protection authorities generally seem to understand the challenges companies currently are facing in trying to handle business operations during the COVID-19 outbreak, which may require diverting resources to prioritize other areas. Although some data protection authorities (e.g., UK, Ireland) have issued statements in support of the understandable delays individuals may experience when dealing with organizations that are at the frontline of fighting the pandemic (for example, health care providers and government departments), the authorities are not able to extend statutory timescales.

Companies should prepare a plan to respond to #GDPR data subject requests based on available resources during the pandemic. #respectdata Click to Tweet

As a result, companies facing issues in responding to data subject requests should consider implementing a pragmatic plan based on available resources to provide information in phases where possible and to request an extension, where necessary and appropriate.