GDPR during a pandemic

Covid-19 has certainly taken up a large chunk of the news agenda recently, and rightly so. But if you have been watching the news for updates on the pandemic from your lockdown home office, you may well have missed some other news that took place at the back end of last month; 25th May 2020 marked the second anniversary of the application of Europe's strengthened data protection rules, the General Data Protection Regulation, widely known as the GDPR. In this piece, myself and my co-authors, David Witts and Robert Grosvenor, will discuss GDPR in reference to the Covid-19 crisis and discuss some of the key impacts from the legislation.

GDPR may have been heralded as a directly applicable regulation harmonising data protection rules across the EU (if not establishing a new global benchmark for data regulation), but in reality it is still a framework of principles and rights where there is little in the way of detail when it comes to technical standards and procedural requirements. As such most organisations will (at least outside of earshot of a regulator) see it as a long term initiative which on a prioritised and risk based approached has to address key areas of exposure and low hanging fruit, whilst still trying to figure out what operational compliance means often in an environment of continual change and cost control.

The Covid-19 crisis has fast-tracked a lot of digital transformation and new tech implementations with organisations needing to react to the new environment we are operating in. Organisations are needing to think and act fast whilst also considering how to incorporate this within their data strategies, associated policies and process change management. Certainly, privacy counsel and DPOs are often at the heart of this and, consistent with the implementation of GDPR, they will require the support of the wider data stakeholders and control functions with many organisations still struggling with the operational deployment of their GDPR programmes. Likewise, many of them may also be struggling with the practical challenges of adopting new data governance models supported by new or additional roles such as Privacy Leads, Champions, Data owners and so forth.

Industry groups and bodies will experience the very real challenge of supporting these developments with establishing new codes of conduct, particularly in emerging tech and business areas where there is still a lack of detail. Interestingly challenges will also be faced when companies (and even industries) have a better understanding of both technology and digitalisation, than the regulators do.

The pandemic has also led to a relaxing of some privacy processes to allow for the unique circumstances we have found ourselves in. There is the risk that organisations will continue to adopt this approach as the world returns to a more ‘normal’ state. Organisations will need to ensure that they review all activity which may not have been consistent with GDPR principles and look to understand what steps needs to be taken to rectify where there has been a relaxing of standards and have the evidence to back up this story.

Outside of the EU there are a number of privacy developments including India, China, Central and Southern America which will have a significant impact on European organisations which also mean that CPOs/DPOs are having to start to look at issues again outside of the EU, and what this means in terms of global baseline standards, management of international data transfers and data localisation rules, and challenges with the adoption of one size fits all migrations to cloud based data management and services.

Even though GDPR is two years in now, fully understanding and adhering to the legislation feels more important than ever, especially with data flowing more widely. With more people working from home, more business being performed online, rather than in person and indeed more data being shared as Governments relax (and in fact encourage) firms to share data to ensure that public services are maintained, getting GDPR right is going to be more important than ever.

Words by: Phil Beckett, David Witts and Robert Grosvenor