What do SMEs do if COVID-19 has interfered with their ability to respond to GDPR (General Data Protection Regulation) requests?
The GDPR requires organizations to provide individuals information on actions they have taken on access, rectification, erasure, restriction, portability, objection, and automated decision-making requests within one month of receipt of the requests. That time period may be extended by two further months where necessary, taking into account the complexity and number of requests. The organization must inform the individual of: (1) any extension within one month of receipt of the request, and (2) the reason for the delay.
With the onset of COVID-19, some regulators are being more lenient about responding to the above individual rights requests. The Irish and the UK data commissioners recently recognized that because of circumstances due to COVID-19, organizations may need more time to respond to these requests. ICO Data protection and coronavirus information hub; DPC Data Protection and Covid-19. Resources, whether financial or people, might be diverted from responding to these requests because of COVID-19, and neither the ICO nor the DPC will penalize organizations that are unable to respond to these requests within the time limit set by the GDPR because of COVID-19. Although regulators are unable to extend statutory deadlines, they will take such a lack of resources into account when determining whether to take any enforcement actions.
If experiencing difficulty in responding timely, the DPC suggests responding to requests in stages and providing electronic records instead of hard copy records. In any event, organizations should communicate clearly with the individuals making the request, letting them know what to expect, and should document the reasons for not complying with the timelines.
If your organization needs help in responding to these requests, take a look at GDPRsimple, http://www.keepgdprsimple.com, a technology platform that helps SMEs implement the GDPR and demonstrate their implementation. GDPRsimple contains generators that walk SMEs through responding to these requests and helps them keep track of their responses to these requests.
Most importantly at this time of rapid change, the ICO and the DPC expect organizations to make efforts to comply with the GDPR to the best of their abilities. Blatant disregard of the GDPR will not be looked on favorably when times are more normal. If you would like to talk further about this or other topics, please contact GDPRsimple at info@keepgdprsimple.com.