Hello from the Privasee team. We hope that you and your close ones are well and we hope that the current situation eases up shortly.
The ICO has set out regulatory guidance on data compliance during Covid-19. This blog post will address two areas and its implications for SMEs in the UK.
Where do regulators stand?
The ICO is taking an “empathetic and proportionate” regulatory approach towards data practices during the pandemic. This means that they understand other concerns may take precedence over data governance should resources become scarce. However, the ICO will measure practices against a proportionality test - “balancing the benefit to the public of taking regulatory action against the potential detrimental effect of doing so, taking account of the particular challenges being faced at this time”.
This also means that the accountability principle needs to be complied with. For SMEs, this means “ensuring a good level of understanding and awareness of data protection amongst your staff; implementing comprehensive but proportionate policies and procedures for handling personal data; and keeping records of what you do and why”. The required document to maintain is a Record of Processing Activities (ROPA) that sets out:
- Where the data is being located within the company, both within the UK and abroad;
- What type of data is being stored (under which processing grounds);
- Whose data is being stored;
- How long the data will be stored for;
- A policy that details data subject request management techniques, otherwise known as a data subject access request.
The ROPA will contribute to your organisation’s completion of the Data Protection Impact Assessment (DPIA) as the DPIA should be regularly updated to be in line with your organisation’s data management techniques and evolving practices. This document will directly demonstrate how you maintain compliance during Covid-19 and how you are managing issues as an SME.
The ICO has a DPIA template that can be used but the necessary inclusions should be:
- the activity being proposed;
- the data protection risks;
- whether the proposed activity is necessary and proportionate;
- the mitigating actions that can be put in place to counter the risks; and
- a plan or confirmation that mitigation has been effective.
What about COVID-19 specific data?
It is likely that the data you collect in relation to Covid-19 will fall under “personal data” and “special categories of personal data”. The collection of such data should thus comply with the relevant articles under the GDPR, such as the grounds for processing activities, and a ROPA is the best way to manage such risks.
This is because SMEs should first understand the minimum amount of data that needs to be collected in order to meet its purposes. Your organisation may not know how much (or little) data to collect so your DPIA should give you a benchmark for the type and amount of data that needs to be processed accordingly (data minimisation). For example, asking questions with straightforward answers are better than open-ended ones which will give data subjects the opportunity to talk about Covid-19 related issues in detail and potentially give data about other family members or issues outside of the current purposes for collecting their data. This would increase the strain on your organisation in the long term if such data points need to be managed later on.
This is also another key reason why a ROPA should be kept and a DPIA conducted beforehand as this would decrease the time needed in the future of going through various data records and evaluating whether too much data has been collected.
Summary
Overall, the new regulatory perspective taken by the ICO is one of empathy and proportionality. Thus, having an easy to view ROPA that would help ease the strain of conducting DPIAs before formal data collection will massively support your SME during Covid-19. It will help you understand the amount of data that needs to be collected from the outset which will further reduce risks of data mismanagement in the future. Once this mechanism has been established, your SME can continue these data compliance practices into the future.
Disclaimer
Privasee does not hold the above article to constitute legal advice in any form.
More information can be found on the ICO Website
Sources and other articles
- https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-regulatory-approach-during-coronavirus.pdf
- https://www.whitecase.com/publications/alert/covid-19-and-data-protection-compliance
- https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/
Frequently asked questions
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.