However, there is some good news for struggling organizations to cope with this challenge.
Organizations Must Follow GDPR
The lawmaker authorities around the EU have posted guidance on how organizations should follow the GDPR during the COVID-19 pandemic.
They have acknowledged that it is not possible to extend the compulsory requirement of the GDPR as it has become the law. Since regulators know the challenges the organizations are facing, they will not impose any penalty if the organizations cannot comply with the law.
It is possible to respond to DSARs (Data Subject Access Requests) in stages. If there are employees whose responsibility is to handle the requests and they are working from home, they can still communicate with relevant authorities on the steps which need to be taken.
If there is a problem due to which employees cannot perform the step, they should document the problem when responding to DSARs.
One example where this rule can apply is when personal information exists in physical form in the office. In this case, employees are not required to go to the office to acquire the data, as their physical safety should number one priority during the COVID-19 pandemic.
Instead, the organizations can leave this data for the time being and inform about the reason for the data subject.
When the restriction on traveling is lifted, employees shall go to the office and follow up with the data and provide copies of any physical data they have.
Extended DSAR Deadlines
Organizations are provided with another option in which they can extend the DSARs deadline for up to one month. In the GDPR, it is stated that upon placing a request, the organizations can ask permission for an extra month to provide the necessary information to concerned authorities.
Whatever procedures organizations may take, they have to document the reason behind it and let the data subject know. The DSAR must be reported to the concerned authorities now or later.