If you didn’t have enough to think about, GDPR is back in the news, with the ICO making clear that Covid 19 is not an excuse to relax compliance. Worst still, cyber criminals know the pressures businesses are facing and have taken full advantage, with some big-name casualties.

The ICO have expressed their intention to be more considered in taking action against any breach, promising a flexibility in its approach and the penalties it enforces. But it warns that they will continue to take firm action against any organisation looking to exploit the crisis. The message is clear, they’ll be understanding but won’t tolerate abuse.

The key take out is that the ICO will make allowances for businesses who are doing their best to meet obligations, but ‘Rules are Rules’ and they will still apply. Reporting is one area where its expected to be more tolerant, recognising the potential for reduced staffing and critical resources. Key areas of temporary change are:

1. While reporting remains 72 hours, there will be an allowance made for reasonable delays.
2. The ICO will reduce the demand to compel organisations to provide evidence and have stopped its audit work
3. Penalties and enforcement action will take into consideration whether Covid 19 was a contributing factor
4. Affordability will be applied to any financial penalty.
5. More time will be given to rectify and remediate breaches that pre-date the crisis.