Skip to content

ICO Updated Document On Regulatory Approach During The Pandemic

The ICO has updated its document setting out the Regulatory Approach it will take during the pandemic. The updated document can be accessed HERE

Throughout the pandemic, the ICO has stated that its aim was to clearly explain that they were committed to being a pragmatic and empathetic regulator whilst at the same time reiterating the important role that people’s information rights would continue to have.

The ICO has recognised that the challenges presented by the pandemic have not gone away. However, they have recognised that more and more organisations are adjusting to its circumstances and returning to offer the transparency around data protection.

The ICO has reaffirmed its commitment to taking an empathetic and pragmatic approach and has stated that they will be focusing on issues of greatest risk. This will be demonstrated by ICO taking action including the following:

  • Focussing their efforts on the most serious risks and greatest threats to the public.
  • Assisting organisations by providing advice and guidance on data protection laws and how to meet their obligations in response to new requirements and initiatives.
  • Taking firm action against those looking to exploit the public through nuisance calls or by misusing personal information.

Under Regulatory Action the ICO said that they will continue to act proportionately and in line with the ICO’s Regulatory Action Policy

This means that:

  • Organisations should continue to report personal data breaches, without undue delay and no later than 72 hours of the organisation becoming aware of the breach.
  • The ICO will prioritise investigations that present the greatest harm to the public. Where investigations are conducted, they will seek to understand the individual challenges faced by organisations and will consider the impact and the present economic situation on the organisation.
  • The ICO will continue to take a strong regulatory approach against any organisation breaching data protection laws aimed at taking advantage of current circumstances
  • As set out in their Regulatory Action Policy, before issuing fines they consider the economic impact and affordability.


The ICO clearly wants to provide a supportive role but as the pandemic has now lasted over a year, the ICO’s expectations on organisations to ensure privacy rights are protected, would appear to be tightening up.