GDPR Obligations During A Pandemic

Dylan Loughlin

What is GDPR?

The Data Protection Act 2018 currently governs data protection in the UK, as well as the General Data Protection Regulation (GDPR). These laws are to ensure that organisations have the appropriate measures in place to gather, store, and use individuals’ personal data. Data protection law is complex, so employers may want to contact a member of Copacetic Business Solutions at for more advice about the legal ramifications if these regulations are not adhered to, such as risk of reputational damage, potential prosecution, and fined.

Data protection issues in the time of coronavirus.


Whenever an organisation creates new ways of working (including home working) it puts data, including sensitive data, at greater risk. During the pandemic, remote working has become a necessity for many. Employers should adapt data protection policies if needed, address security risks and data compliance, establishing strict access rights and encrypting data. Data protection and cyber security experts may provide guidance on how to protect and process data correctly whilst staff work from home. Also, employers should ensure that employees understand their own rights and obligations under data protection law.

How long should documents be retained?

When retaining any information, you should remember that, under the Data Protection Act, you must not keep data any longer than is necessary for a particular purpose. You need to:

  • Review the length of time you keep personal data.
  • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it.
  • Securely delete information that is no longer needed.
  • Update, archive or securely delete information if it goes out of date.

Our retention of records information provides a breakdown of how long records should be retained. Available upon request.

Data protection at work

There are some key themes that employers should be aware of:


Organisations must demonstrate that employees were informed of the purpose and use of their personal data and given a clear explanation of how it will be treated.

Employers must record the grounds on which they will be processing each separate category of employee data.

Lawful processing

Organisations may process personal information lawfully and comply with the company’s employment contract or legal obligation and protect the legitimate interests of their employer or a third party.

Job references

Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).

Email and internet

Organisations need a comprehensive internet, social media and communications policy governing permitted data use including email and internet issues. Providing staff with smart phones, laptops, tablets, or USB devices has data protection implications, as can working from home including use of employees’ own devices.

Information may be at risk if there are inadequate security measures. An effective policy must cover permissible work use of all devices. Monitoring should not be intrusive, for example using traffic data (about the routing, duration, or timing of messages) rather than accessing email content.

Sharing and transferring personal data

Third parties, such as payroll providers, external HR, and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:

1. Clarify the information needed and why, and what the receiving organisation will do with it.

2. Only share essential data.

3. Anonymise or pseudonymise the data.

4. Check contract terms with third parties are GDPR compliant.

5. Check the relevant requirements for overseas transfers of data.

Data security

Data security must be appropriate to the processing risks. The organisation’s size, the nature of information processed, and the potential harm from security breaches are all relevant.

In addition to clear policies covering security incidents, organisations should:

  • Carry out risk assessments of data systems and act on the results.
  • Maintain up-to-date security systems (for example, using firewalls and encryption technology).
  • Restrict access to personal data to those who need it.
  • Train staff on data security.
  • Review data security regularly.

Going forward – Action Plan for Employers

Organisations should:

  • Appoint a data protection officer to cover all aspects of information including DPA and Freedom of Information Act compliance.
  • Audit information systems to find out who holds what data, and why.
  • Consider how data is used, and issue guidelines for managers about how to manage data.
  • Ensure that all information collected complies with the DPA and GDPR.
  • Check the security of information stored.
  • Check the transfer of data internationally.
  • Check the organisation’s use of automated decision making.
  • Review policies and practice for example for references and the private use of telephones, email, and post.
  • Monitor data compliance on an ongoing basis.

The Freedom of Information Act 2000 gives members of the public a general right of access to recorded information held by public authorities, including Invest Northern Ireland.

Carrie Wilson, People Consultant