With thousands of lives lost or at stake, rising unemployment levels, mobility restrictions and stumbling oil prices, we are now also in a global economic downturn. Governments and banks have announced various support schemes for households and businesses. Entrepreneurs, directors and management teams must set the overall operational strategy to combat the effects of the virus. They must consider their businesses’ supply chain and, if not already, contact their suppliers and enquire about their risk exposure and contingency plans, in case of supply disruptions.
The impact will be significantly different according to the industry or sector concerned. For instance, a substantially harder hit should be further expected particularly in the foreseeable future by businesses in the tourism, leisure, accommodation, and food and beverages sectors. Individuals and organisations alike need to swiftly assess and mitigate losses as well as risk, and consistently evaluate decision-making to progress their business. It is crucially important however particularly during this crisis that sustainable initiatives are taken across all levels.
The EU General Data Protection Regulation (“GDPR”) substantially changed data privacy rules. By now organisations in the EU or organisations outside the EU which process personal data of EU residents should be in a position to demonstrate that they fulfill the necessary requirements for compliance.
Covid-19 and GDPR
We are already witnessing an unprecedented processing of different types of personal data including sensitive data by public authorities and private organisations due to the coronavirus outbreak.
It is noteworthy that normally under GDPR consent would be required for the purpose of processing sensitive data, however exceptions are provided, as set out below.
Therefore, data controllers and processors must ensure the protection of the personal information of the data subjects.
“Personal Information” means any information that can be used to identify an individual or that we can connect to a person. Such Personal Information does not consist of anonymous data.
European Data Protection Board Statement
On 19 March 2020 the European Data Protection Board adopted its statement on the processing of personal data in the context of the Covid-19 outbreak.
By way of summary, please note as follows:
You can find the full version of the EDPB announcement at https://bit.ly/3dGqxxf.
Given the focus of the GDPR on accountability, a Data Privacy Impact Assessment should be carried out by organisations in certain circumstances in order to evaluate if specific processing may entail a high risk for the rights and freedoms of individuals.
It is particularly important for organisations to increase awareness through training of all stakeholders involved and to assess if they should appoint a Data Protection Officer (“DPO”) and set up a Privacy Office. The DPO should be able to provide to the organisation day-to-day independent advice in relation to the GDPR.
Of course the competent regulatory authority plays a crucial role in implementation and enforcement of the GDPR and corresponding national legislation as well as respective guidelines, and should be consulted as appropriate.
RELATED INSIGHTS FROM OUR DATA PROTECTION PRACTICE GROUP
OUR DATA PROTECTION PRACTICE GROUP
Our firm helps SMEs and large organisations in a wide range of sectors to comply with the GDPR and national legislation.
Our associates focus on technology and cybersecurity aspects to cover all angles of the necessary exercises, in line with the rapid shifts in technological disruption.
Please do not hesitate to contact us if you require further information or support on such matters.
Data Protection Law Firm of the Year in Cyprus: 2020 Global Law Experts 11th Annual Awards