COVID-19 and GDPR Obligations for Businesses

COVID-19 and GDPR Obligations for Businesses

At the start of 2020, none of us could have predicted that a pandemic would accelerate itself across the globe so rapidly. But COVID-19 is definitely global and has definitely affected individuals and businesses worldwide.

As we remain in the thick of epidemic, let’s take a look at what businesses need to know about managing access to data requests, while ensuring that they continue to implement appropriate measures to meet GDPR requirements.

Adapting to COVID-19

As coronavirus has made its way across the globe, seemingly overnight, businesses have had to adapt in order to remain afloat and avoid closure. Meanwhile, they have also had to adapt to ways to safeguard the wellbeing of their employees and customers.

Businesses are now facing data protection and compliance challenges as a result of the pandemic. Further, they have had to put new or revised measures in place to tackle the threat of cybersecurity.

So many changes have abruptly taken place, but what’s important is that businesses put the right measures in place to ensure data is properly protected when handled by employees working from home.

Managing Data Subject Requests

Although authorities cannot extend legal timescales when it comes to responding to requests from individuals (as set down by the GDPR law), they do acknowledge that delays will inevitably arise as a result of the impact of COVID-19.

Businesses are being advised to communicate with their clients and explain that during this time, delays may occur when making information rights requests.

Sharing Data with Governments

According to the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), companies should work with governments by sharing anonymous data in order to fight the spread of the epidemic.

Lawfulness and Truth

When processing personal data, businesses must ensure they abide by the principles of data protection. Complete records of actions taken should be kept, as well as the lawful grounds used to justify them. Further, the records should outline the steps taken to be open and honest with the individuals in question. 


In accordance with GDPR, employees must be informed – in a transparent manner – if any of their data has been shared with public health authorities. Collection and sharing of personal data should only be shared on a ‘need to know’ basis, as the more personal data that is collected, the greater the risk in terms of data protection and privacy. It is also advised to inform employees before their information is shared.


Minimisation is a crucial component when it comes to data processing. Businesses should not process more data than what is necessary for the purposes outlined by the relevant authorities.

If aggregated or anonymised data is adequate, then organisations should not reveal the identities of the individuals in question.

Has your Business Adjusted?

Protecting your business, your employees and your clients is essential during the COVID-19 pandemic. If you’re seeking assistance with COVID-19 and GDPR obligations and compliance, contact EWM.

Want read more?

Related posts.



Call us