While the global business environment continues to experience significant disruption surrounding the COVID-19 pandemic, data privacy regulations still apply. Several supervisory authorities and regulatory bodies in the European Union published notices and guidelines around how businesses complying with the General Data Protection Regulation (GDPR) may be affected during the COVID-19 pandemic.

GDPR guidelines highlight potential compliance impacts during pandemic

Responding to data subject requests: While the timeframe requirements cannot be modified, there is understanding that competing business priorities may delay prompt responses. If your organization foresees delays in this area, consider placing a notice where possible, or following the existing guidance that allows for up to a two-month extension if the data subject is notified of the reason for the extension within the first 30 days.

Security of processing and teleworking arrangements: Wherever feasible, implement the same types of security measures for teleworking as would be in place under normal working circumstances. For example, requiring work to be performed on the company virtual private network (VPN) instead of public and/or home Wi-Fi connections. Data protection officers should pay particular attention to the use of any new tools, such as video conferencing software, used to support the new telework arrangements.

Employees and COVID-19: If an employee contracts COVID-19, the GDPR does not prevent organizations from notifying other staff; however, they should be prudent about the amount of personal information that is truly necessary to share and the scope of recipients of that information. Similarly, organizations should only collect strictly necessary personal information from an employee that is experiencing symptoms or has been diagnosed positive.

Steps to take now

Take a reasonable and pragmatic approach to compliance during this pandemic. Continue to apply the basic principles of the GDPR, especially around processing any new personal information that may arise and consider documenting your justification for this new collection, use and/or disclosure.

For more information, or to discuss how we can help your organization address your privacy concerns related COVID-19, contact our team.

Next up

SEC ruling: summary of amendments to filer definitions and Sarbanes-Oxley (SOX) impacts