ICO’s puts its foot back on the gas after a pause for Covid-19

1st October 2020ICO

In an open letter published last week, the ICO have taken ‘another step towards returning to their approach pre Covid-19’.

The ICO updated its regulatory approach in April 2020, when we were in the full force of the initial shock and repercussion of the pandemic.  They updated it again in June 2021 to adapt to this ever-developing challenge.  These updates pertained to more leniency.

However it is a balancing act for the ICO.  As an independent regulator their role is to act in the public interest, so as Elizabeth Denham, the Information Commissioner, explains, their approach has always been to be ‘pragmatic and proportionate’.

They need to balance the strains on companies, caused by the ongoing coronavirus pandemic, against people’s information rights.

This latest update to their approach is another step towards returning to pre-Covid levels of expected compliance, albeit still with some caveats.

The ICO states categorically that they will ‘focus their efforts on the most serious risk and greatest threats to the public’.

We have pulled out the main points from the open letter below, for your convenience, but we do recommend that you have a look at the complete text of the open letter >>here <<.

If you need any help interpreting what this means for you and your organisation, you are welcome to >>book a complimentary 30 minute zoom consultation<< with one of our data protection specialists.

What you need to know from the latest open letter from the ICO:-


  • The ICO will take firm action against those looking to exploit the public health emergency through misuse of personal data.
  • The ICO will be flexible in their approach, taking into account the burden on the individual organisation.
  • The ICO will continue to develop further regulatory measures aimed at supporting economic growth and recovery.
  • Where organisations have a backlog of complaints, the ICO expects them to have ‘robust recovery plans in place to ensure they reduce these backlogs within a reasonable timeframe’.
  • Personal data breaches must be reported to the ICO within 72 hours of the organisation becoming aware of the breach.
  • In deciding whether to take formal regulatory action, the ICO will ‘consider whether the organisation’s non-compliance results from the coronavirus pandemic’.
  • The level of fines might be reduced, dependent upon circumstances.
  • The ICO ‘expects organisations to appreciate the ongoing importance of proper record keeping during a period that will be subject to future public scrutiny’.


Overall, what the letter is saying is that whilst they will still be fair to organisations, they won’t allow the pandemic to be used as an excuse for poor performance as far as complying to data protection legislation is concerned.  Although the ICO have a balancing act to do, this letter is a shot across the bows of organisations.  You can’t blame non-compliance on Covid-19 unless you have a genuine reason to do so.

If you need some help at this confusing time, or if you don’t have the in-house resources you need, please do get in touch.  Book a no-obligation, complimentary Zoom consultation and one our data protection specialists will be delighted to help.

Call: +44 (0)1673 88 55 33

Email: [email protected]

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.