How does COVID-19 impact on your GDPR rights and obligations?
The Coronavirus/COVID-19 pandemic has caused problems in all areas of life, including the difficulties posed regarding responding to data subject requests.
The Irish Data Protection Commission (DPC) has issued guidelines, whilst pointing out that the timelines for responding to requests has not changed.
Advice for Individuals
The DPC outlines that members of the public should be aware and appreciative to the frontline and critical services organisations such as healthcare providers, government departments (in particular the Department of Employment Affairs and Social Protection), Revenue and local authorities as they may need to divert resources and to prioritize work areas. This channelling of resources will have an impact in sectors of these organisations such as handling access requests.
The closure of schools, universities and other private sector organisations has further compounded the difficulty in processing data access requests. Based on this the DPC has asked the public to bear these factors in mind if an access request is not processed in the requisite time. These are unprecedented times that call for unprecedented understanding.
Problems for Organisations/Data Controllers
The DPC has acknowledged that many organisations, especially ones on the frontline and/or provide a critical service may need to divert resources to priority work areas. The diversion of work resources will impact other areas such as processing access requests. With regard to the regulatory requirements set out by statute that deal with the same, the DPC is alive and aware of these challenges and is proposing a proportionate regulatory response to these extraordinary circumstances.
The main point is that organisations experiencing delays in responding to access requests should note that the organisation should, where possible, notify the subject of the delay or possible delay in processing their request for data. This also includes an extension for a period of two months to respond to an access request, this extension is provided for by the GDPR.
Another option open to Organisations would be to respond to access requests in stages. If this is an option open to an organisation the DPC implore organisations to communicate clearly with the individuals concerned.
Finally, where an organisation, due to the impact of COVID-19, cannot respond to a request either in full or in part that organisation remains under an obligation to comply with the request and action same as soon as reasonably possible.
Organisation must note that the statutory obligations to comply with access requests cannot be waived however if an individual complains to the DPC regarding a organisations failure to comply with a DSR, the commission will assess the specific extenuating circumstances that led to the initial delay.
Conclusion
The Data Protection Commission encourages organisations to document their reasons for not complying with the timelines set out by statute.
If an organisation feels that it will not be able to deal with a subject’s access request within the statutory timeframe the organisation should properly communicate these reasons to the data subject.
Finally, even though the GDPR does not allow statutory timelines to be waived the DPC will take into account the extenuating circumstances surrounding the delay in delivering the access request.
You can read the statement/advisory from the Office of the Data Protection Commission here.