GDPR 2 Years On: Board and Leadership Priorities


Companies and organisations have had four years to implement the EU’s General Data Protection Regulation (GDPR), since it became law in 2016. May 2020 marks two years since enforcement of the law by the EU’s twenty-eight GDPR regulators began. GDPR has transformed global data governance standards and expectations. It has created a new lexicon for data protection, new responsibilities, new rights, new processes, new governance tools and has empowered the Data Protection Officer (DPO). GDPR compliance requires more than generalised assurances of privacy or data security. The requirements can be exacting, and companies and organisations must demonstrate compliance and accountability to prove their competence. The most forward-looking organisations now leverage data protection as a key market differentiator, a trust-building asset and a catalyst for data and cybersecurity innovation. The marketplace and individuals are now placing companies and organisations on an emerging spectrum of data ethics, seen through the prism of privacy by design, security by design, data minimisation, transparency and accountability. There are many lessons for boards and leadership teams and key issues to prioritise.

EU GDPR Regulators, Capacity Building, Enforcement and Fines

The GDPR can only be as effective as the levels and quality of enforcement that takes place. The GDPR required most EU data protection regulators to increase their staff, resources and working practices to deal with the sharp increases of GDPR complaints that arrived on and after May 2018. Since then, there have been  few multi-million Euro fines and some commentators have wrongly concluded that the GDPR has not been effective. GDPR regulators in France, United Kingdom, Germany, Italy, Netherlands and Spain have been the most high-profile and active in enforcement, but most of their output has been to publish detailed guidance, legally binding Codes of Practice and to put forward strategic positions on new and emerging technologies such as artificial intelligence, adtech, cookies, tracking technologies and privacy by design for children’s online services. Early enforcement has focussed on public sector bodies and smaller organisations. Several GDPR regulators had put in place GDPR enforcement moratoriums between May 2018 and May 2019 in order to build their capacity and to reduce their 2018 complaints backlogs. For some GDPR regulators, there has only been twelve months of proactive enforcement. The over-reporting of low risk personal data breaches since May 2018 has diverted much GDPR regulator time and resources.

Overall, GDPR regulators have been cautious in issuing high value fines. When EU-wide enforcement decisions are assessed together, it is clear that GDPR regulators are actively building a strong body of decisions, opinions, legally enforceable codes of practice and lower-level fines which will increasing expose GDPR compliance outliers. These will form the basis of future fines and more aggressive enforcement, especially for basic non-compliance and repeat complaints.

The European Data Protection Board (EDPB), which brings together all twenty-eight GDPR regulators, has been under-utilised, although its opinions, consultations and decisions are regarded as offering high quality GDPR legal interpretation and application. The EDPB’s work has focussed on its internal capacity building, work with other EU institutions and administering the twenty-eight GDPR regulator projects and meetings. A change of emphasis towards sharing large and high-profile investigations, constantly rebalancing resources to speed up enforcement decisions across all the EU regulators and actively supporting small and newer GDPR regulators would improve GDPR enforcement outputs. Taking a lead on globally significant cross-cutting issues such as data protection in politics, privacy-invasive technologies, data protection and market competition and privacy-enhancing cybersecurity, could systematically increase GDPR application and reduce individual complaints.  The EDPB could better use the powers it has in the GDPR to develop its unique voice and contributions. Board and leadership teams should continue to monitor how GDPR regulators are incrementally dictating the rules of the road for data governance and information security, especially for new and emerging technologies. The GDPR decisions of the EU’s highest courts, and the courts of each EU member state should also be monitored. These decisions can have immediate impacts on business models, data protection risks, supply chain data exposure and market positioning.  

Data Protection Officers (DPOs)

Data Protection Officers are one of the GDPR’s most powerful tools. They are mandated to report to the highest level of management in companies and organisations, must have enough resources, must act independently, must be protected from penalty and intimidation and all have a duty to co-operate with GDPR regulators.  Individuals can contact DPOs directly, public bodies must appoint DPOs and their knowledge of the data and security ecosystem and organisational supply chains make them unique and formidable net contributors. They can also help to influence and shape data governance, cybersecurity risk appetite and data ethics.

However, there is a shortage of senior DPOs in the EU and around the world.  Too many DPOs are not as well paid as they should be and some lack the required status, influence and respect within organisations. Often, their ability to access the board and senior leadership team is mediated by unnecessary layers of management and bureaucracy. It is common to find that named DPOs often perform other management roles within the organisation that can conflict with their DPO role and affect their independence. Many DPOs are not consulted and included early enough, within projects, so that privacy by design work and data protection impact assessments can inform key decisions. External DPOs and Data Protection Officer as a Service (DPOaaS) are growing service offerings but it will take time to diversity these offerings and provide more innovative solutions. Boards and leadership teams must actively review the position, role and tasks of DPOs. Their reporting structures, resources and their contribution must be analysed. EU, EDPB and guidance from each of the EU’s GDPR regulators, where applicable, should be incorporated into organisations to increase GDPR compliance. DPOs must work in close partnership with Chief Information Officers and Chief Information Security Officers. Communication between DPOs, the board, senior leadership team, the C-Suite and operational heads should be easy, transparent, trusting and purposive. DPOs should be acknowledged as key asset guardians, critical friends and enablers.

Privacy by Design and Data Protection Impact Assessments

Before GDPR, Privacy by Design principles were practiced in highly regulated sectors and often only in the largest and most innovative organisations. GDPR has democratised and added Privacy by Design, Privacy by Default and Data Protection Impact Assessments (DPIAs) firmly into the data governance lexicon. These principles and data governance tools are expected to influence data flows, contribute to the design of new technologies and create a framework for risk-analysis, mitigation and review throughout data life cycles. GDPR regulators are beginning to request evidence of these. In the public sector, government bodies are increasingly expected to publish assessments of their digital transformation projects, smart cities initiatives, coronavirus covid-19 contact tracing apps and facial recognition technology projects.  Boards and leadership teams, should encourage a culture of data protection impact and data risk analysis, fully engage with these evaluations, monitor outputs and encourage their supply chains to demonstrate compliance, especially cloud services and emerging technologies.

Cybersecurity Takes Centre Stage

Information Security and Cybersecurity expectations were not fully developed in the pre-GDPR EU data protection laws. The GDPR has pulled these topics to the centre stage, allowing companies and organisations to address data protection and cybersecurity in a more integrated way. Personal data breach fines, notifications to regulators, notifications to data breach victims, data processor cybersecurity requirements and clearer risk-based information security analysis based on the costs, context, purpose and state of the art in information security are GDPR innovations. The power and impact of this is shown in the over reporting of information security incidents between 2018 and 2019 by many organisations in the EU.

Pseudonymisation, encryption, confidentiality, integrity, availability and testing are all specifically written into the GDPR. Detailed guidance has been issued by various GDPR regulators across the EU, and many provide online personal data breach reporting. The growth of cybersecurity monitoring, real-time reporting and breach incident management software continues. GDPR personal data breaches are widely reported in the media. GDPR has added momentum to existing efforts to publicise the impact of data breaches on organisations’ reputation, share price, consumer trust, user engagement, market share and profits. As a result of this, boards and senior leaders must remain fully engaged with their cybersecurity risk profile and encourage their teams to risk-assess their supply chains, practice data breach drills, purchase effective cybersecurity insurance, apply relevant GDPR regulator guidance, train staff and partners and empower their entire organisations to actively remain within a framework of information security resilience.

GDPR, Global Soft Power and Future Expansion

The GDPR exerts soft geopolitical power, bilateral trade power and is an engine for the international growth of data ethics and security by design. For example, GDPR was a key component in the EU-Japan Economic Partnership (Trade) Agreement in 2019 and the accompanying Japan Data Protection Adequacy Decision in 2019. GDPR and personal data flows are also key themes in the EU-UK Brexit trade deal negotiations taking place in 2020. The key question in Brexit is whether the EU will grant the UK data protection adequacy status or will both sides concede that the UK should be treated as an outsider “third country” for data protection and GDPR purposes. The GDPR has become the global reference point for data protection standards and has inspired new draft laws, updates of established laws and new enactments in Australia, Brazil, California (USA), India, Jamaica, Japan, South Korea and Thailand, with more countries to follow. In the USA, numerous states now have draft laws and the US Federal government also has a range of similar draft laws to consider.

Companies and organisations are actively seeking ways to develop data ethics frameworks for data use and data sharing around the world. GDPR is maturing previously nascent data governance ideas and creating new tools and a language that boards and leadership teams must understand, analyse and implement. After two years of GDPR implementation, the European Commission is not proposing major changes to the GDPR’s legal text. It believes that the law and how it can be applied are sufficiently intuitive and adaptable. EU GDPR policy makers are keen to see the law interpreted and applied to all new and emerging technologies. GDPR enforcement in the form of high impact fines will come. For now, GDPR is not actively expanding in scope, but it is broadening its application while also discreetly consolidating and strengthening its EU and global impact.

High Risk Privacy, GDPR and Data Ethics Impacts of Coronavirus Covid-19


The Covid-19 pandemic introduces new and varied data threats, risks and data ethics challenges. There is no ideal playbook to respond fully to these concerns. Risk anticipation, risk identification, risk analysis, risk response and risk mitigation are now centre stage in corporate data governance. Coronavirus has rudely interrupted settled risk appetites in data protection, General Data Protection Regulation (GDPR) compliance, global data privacy and cybersecurity. Focussing on the highest risks is crucial. These high risk impacts include the proliferation of covid-19 contact tracing applications (Apps) and the rapid rise of cybercrime, hacking, scammers and cybersecurity incidents.  There are now significant encroachments on employee privacy because of teleworking and working from home. The impact of the enforcement of new data privacy laws and the need to avoid future regulatory scrutiny are all high risk concerns.    

Contact Tracing Apps and Covid-19 Technologies

The pandemic is a data-intensive medical emergency. To reduce the spread of the virus, rigorous testing, manual tracing and contact tracing Apps have been identified as the best ways to combat the disease. Contact tracing Apps in China and South Korea often require a lot of personal data, track users, send notifications to the government and make automated decisions about whether a person should remain in quarantine or be allowed to work. Other solutions have focused on Privacy by Design and have invested in privacy-enhancing technologies. Australia launched an App that put the user in change of the data collected and how these are shared. Researchers at the Massachusetts Institute of Technology, Stanford, McGill, University College London,  Oxford University and elsewhere are pioneering the use of bluetooth technology, cryptography and minimum-data models. Google and Apple are working with NHSX, the digital arm of the UK’s National Health Service to launch a contact tracing App. Amid the innovation, key data ethics questions must be answered by all stakeholders. Who will be the data controller? Who will receive and store the personal data? Are privacy by design, data minimisation and security by design principles built into the technology? Will law enforcement have access to the health or other data? Will data be deleted, anonymised, pseudonymised or destroyed after a set period? What is the extent of geolocation tracking? Is the app compulsory? Are users given the opportunity to consent? Will data on the App be encrypted? Is the App built on open source software? Are developers willing to provide transparency about their algorithms in line with EU Governance Framework on Algorithmic Accountability and Transparency or Guidance from the European Data Protection Board? Contact tracing Apps and other Coronavirus-inspired technologies provide great opportunities, but also pose high risks to data protection, GDPR compliance and cybersecurity. Companies and organisations should work transparently and in an accountable manner.

Cybersecurity Threats, Cybercrime, Hackers and Scammers

The UK National Cyber Security Centre (NCSC) and the US Department for Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)  have issued a joint advisory detailing how the Covid-19 global pandemic is being exploited by cybercriminals and advanced persistent threat (APT) groups. A significant number of malicious cyber actors are using the Covid-19 pandemic for their own objectives. All over the world, there have been increased ransomware attacks, phishing emails, social engineering, malware, email spoofing, text message scams (SMS phishing) and attacks against newly installed working from home systems. Cybercriminals and hackers are constantly attacking IT infrastructure, corporate networks, information systems, online services and applications. Business organisations and staff are encouraged to apply official guidance to mitigate these threats, encourage staff to spot potential attacks, train staff to “refuse to click, or delete” suspicious material and encourage IT leaders to update their staff awareness and reduce the risk of human error.

Encroachments on Employee Privacy

The World Economic Forum and Pew Research Centre have examined employee working from home practices in several countries, before the Covid-19 pandemic. Coronavirus has caused rapid and exponential growth in teleworking and working from home, around the world. Many of these arrangements were set up quickly with limited vendor due diligence, cybersecurity testing, data protection (privacy) impact assessments and staff training. There has also been a proliferation of personal data collected and stored on employer’s systems. Medical data, healthcare information, video and sound recordings, geolocation data, images and sounds of family members, biometric data, online tracking data and other sensitive and special categories of data have risen rapidly. Over time, companies and organisations must reassess their record management policies, retention schedules, data protection policies, GDPR compliance and cybersecurity protocols. The volume and types of new personal data creates increased data protection, GDPR and cybersecurity risks.

The Effect of New Data Protection Laws 

The GDPR inspired a rapid expansion of data protection laws around the world since 2016. The California Consumer Privacy Act (CCPA) came into force in January 2020 and enforcement is set to begin on 1 July 2020 by the California Attorney General. Even though a cross-sector group of companies, associations and organisations have requested that CCPA enforcement should be postponed because of Covid-19, enforcement will begin in July 2020. Companies and organisations around the world that fall within the scope of CCPA should continue their CCPA compliance programmes, focus on the most high-risk data sets and closely monitor their cybersecurity risk exposure. Brazil’s General Data Protection Law (LGPD), due to come into force on 1 August 2020 has been postponed until 1 January 2021 because of Covid-19. Administrative rules, sanctions and penalties will be enforced after 1 August 2021.  

Reducing the Risk of Future Regulatory Scrutiny

Companies and organisations should maintain high data governance standards even though there is a pause in the progress of new data protection laws or the pragmatic enforcement of established laws and standards by certain regulators.  The UK Information  Commissioner’s Office and Ireland’s Data Protection Commission have indicated that they will take into account the context of Convid-19 in their enforcement.  Decisions made during the Covid-19 crisis will be judged months and years after the pandemic has subsided. The seeds for future GDPR and cybersecurity breaches could be inadvertently planted during the lockdown period. The key principles of lawfulness, fairness, notice, consent, transparency, accountability, data minimisation and cybersecurity resilience always apply. Trade-offs may be inevitable, but companies and organisations should always aim for win-win outcomes.

Coronavirus Covid-19 and the Future of Cybersecurity


The global covid-19 pandemic will have lasting effects. It will transform information security practices and cybersecurity.  These adjustments and the pace of change will depend on individual business sector norms, end user demands and workforce demographics. Seismic changes are now inevitable in the medium to longer term because of the shift in working practices, the rise in cyber threats and the economic challenges that will face many companies and organisations. Although there will be various overarching themes, the following five trends stand out:

  1. The rise and rise of Working from Home and Teleworking

For the largest companies and organisations that now allow hundreds and thousands of staff to work from home, by default, the cybersecurity challenges are enormous and ever evolving. The rise in ransomware and phishing attacks have been the most obvious challenges requiring new forms of training, policies and procedures and closer network monitoring. The rise in network access points and endpoints and the use of personal devices (Use Your Own Device) to access corporate networks have expanded the threat surface, increased the likelihood of human error and created stocks of unpatched and less-secure endpoints. While cybersecurity teams can find ad hoc solutions in the short term, the medium to longer term will require the increase in zero trust practices and the intensive use of new data loss prevention policies, services and tools. Specialised training in remote-working data protection compliance and staff training to avoid social engineering will need to be imbedded.

  1. The unlocking of Video Collaboration

One clear effect of Covid-19 has been to greatly increase the use of video conferencing and multimedia collaboration tools. Applications and services that are white-listed on corporate networks and adapted by companies and organisations do not pose unmanageable risks. However, the main risk arises from collaboration and video conferencing software and applications that sit outside of corporate networks, but are readily available, easy to use and popular. A number of these applications were not built for the enterprise but were consumer-focussed products and services which have poor data protection, General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), information management and weak cybersecurity standards and practices. Information security teams will need to have an answer to staff and teams that use these services and rely on the utility and convenience. Organisations should actively test these products and services against relevant industry standards and the organisation’s own cybersecurity risk appetite. New governance standards and rules should be applied to mitigate risks. Vigilance is key, even for services that sit outside the corporate network, but are increasingly used for business activities.

  1. Cyber Resilience

Covid-19 has brought cyber resilience to the forefront, both as a tangible corporate aim and as an ongoing state of dynamic vigilance. Resilience is no longer a distant intention, but results from blending cybersecurity strategy, business continuity and disaster recovery objectives into a holistic set of principles and measurable outcomes. This analysis must also include considerations of the insurance in place for physical assets, cyber assets, intellectual property assets, data assets, know-how and personal data. The pandemic is also a signal that companies and organisations must see cybersecurity resilience through the prism of multiple emerging threats such as climate change, unusual weather events, terrorism, future epidemics, wars, civil unrests and high value persistent state-sponsored hacktivism.

  1. Scrutiny of Future Supply Chain Security

Covid-19 has exposed the frailties of just-in-time supply chains and the reliance of excessively long supply routes. Future supply chains will be judged for their cybersecurity resilience, cyber insurance protections and effectiveness. Cloud services and hosting will be asked to provide greater cybersecurity assurances and evidence of their business continuity and disaster recovery plans. Information security teams will increasingly develop second and third preference suppliers and explore the ability of new providers to step in, augment, or take over information technology services. It is also inevitable that information security suppliers will be held to higher standards of compliance to international information security certifications, cybersecurity best practice, sector norms, information management and data protection standards. Supply chain information security risks will receive greater scrutiny from boards and senior leaders.    

  1. The Future of Digital Transformation

The focus of digital transformation will move way from broadly defined aims of efficiency, innovation and cost savings. The new and emerging metrics driving digitisation will be elasticity, scalability, cybersecurity resilience, ease of adoption and maintenance (leading to long term savings). The adoption of Cloud services, especially Infrastructure as a Service (Iaas) are set to increase, driven by cybersecurity concerns and the need to increase cyber resilience. 

Cybersecurity: Focus on Ireland’s National Cyber Strategy


Ireland is an important player in the global digital economy. According to the Commission for Communications Regulation (“ComReg”) and other estimates, 30% of the European Union’s data are hosted in Ireland. The Republic of Ireland ranks 7th out of 28 EU member states in the European Commission Digital Economy and Society Index (DESI) 2019. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in Ireland, where many of their data centres are located. At the end of 2019, the Irish government published its second National Cyber Security Strategy for 2019 – 2024, to increase its cybersecurity readiness and resilience. Security of Ireland’s network and information systems is important for economic growth, investment, trust, national security and innovation.  

A cybersecurity Journey  

A key proposal is to develop Ireland’s National Cyber Security Centre (NCSC), increase incident monitoring, respond to incidents and threats and work with the Defence Forces and the Gardai (Police) on critical national infrastructure issues. There is also a growing realisation that cybersecurity resilience, national security and critical national infrastructure should embrace new partnerships between the public sector and private sector. ComReg recommends allowing intelligence on threats to national security to be shared between Irish state agencies and the private sector. Access by private companies to intelligence on national security risks is seen as the best way to guarantee and secure telecoms networks in Ireland.

Key elements of Ireland’s National Cyber Security Strategy 2019-2022

The strategy’s main objectives are to:

  • Continue to improve Ireland’s ability to respond to and manage cybersecurity incidents, including those involving national security
  • Identify and protect critical national infrastructure by increasing its resilience to cyber attacks and ensure that operators of essential services have appropriate incident response plans to reduce and manage disruptions to services
  • Improve the resilience and security of public sector IT systems to better protect data and the services that people rely on
  • Invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers
  • Increase business awareness of the need to secure their networks, devices and information and to drive research and development in cyber security in Ireland, including new technology investment
  • Continue to engage with international partners and international organisations to ensure that cyberspace remains open, secure, unitary, free and able to facilitate economic and social development
  • Increase the general level of skills and awareness among private individuals about basic cyber hygiene and support them with information and training.

The strategy’s other key deliverables include the appointment of Cyber Attachés to Ireland’s key foreign diplomatic missions, ratification of the Budapest Convention on Cybercrime, expanding the current Threat Sharing Group (TSG), refining existing arrangements with the UK on information sharing and incident response and providing support to Cyber Ireland to develop a Cyber Security Cluster of industry, academia and government.

Action Plan: Monitor progress, review outputs and evaluate results

Companies, organisations, the public sector and investors must monitor the implementation of the strategy. The Irish government’s overall budget for this strategy has not been published. Priorities within the strategy for each major objective has not been fully outlined. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should be monitored as this is underdeveloped in the strategy. The key question is whether Ireland’s NCSC will become a larger, more confident and technically well-resourced cybersecurity champion in the coming years. 

Ireland’s data protection approach should also be monitored in conjunction with the National Cyber Security Strategy. Ireland’s Data Protection Commission (DPC Ireland), the data protection and General Data Protection Regulation (GDPR) regulator received a total budget allocation of €16.9 million for 2020, which included a less than requested budget increase. The quadruple challenges of Brexit, coronavirus covid-19, the post-election uncertain government and a cooling Irish economy in the second half of 2020 will directly affect the immediate implementation of the strategy.

Coronavirus COVID-19: Regulators around the world offer data guidance

Global Briefing

The novel coronavirus, COVID-19, has been classified as a global pandemic. At such a critical time for public health, nations and the global economy, the World Health Organisation, governments, Chief Medical Officers and public health organisations provide much needed scientific and practical expertise.  In our data-driven world, data and information are vital to effectively responding through contact tracing, outbreak analysis, vaccine research, risk-assessments, diagnosis, treatment, modelling and government policy decisions. In this emergency, transparent and proportionate data privacy practices, confidentiality and data security procedures can help to inform these efforts, increase trust and encourage win-win outcomes. Data excellence is crucial.  

Health Data: The sword and shield to combat the crisis

Health and medical data are often classified as sensitive and confidential. In the European Union, the General Data Protection Regulation (GDPR) lists these as special categories of personal data. Collecting, storing and sharing these types of data in high-volumes is called high risk data processing.  Globally, best practice in health care data management insists that these kinds of data must be kept secure, data sharing should be specific and limited, data must be highly accurate, complete and relevant. Individual consent is often the means by which these types of data are collected, stored and used. Health data processing for COVID-19 identification, treatment and public health countermeasures necessarily pressures and adjusts this status quo.  The frequency and intensity of health data processing and sharing around the world, will challenge data controllers, data owners, data guardians and individuals alike. A targeted and purposive approach is required. In this crisis, necessity must be the mother of invention and provide much needed public health and medical solutions and outcomes.  

Looking for Leadership: Guidance from Key Data Regulators

Aware of the increase in health data collection, storage and use as well as the increased data security risks, data protection and other key regulators have published guidance to assist companies, organisations, governments, health care systems and individuals. These include:


The Italian data protection regulator, the Garante (Garante per la protezione dei dati personali), has published a statement encouraging employers not to collect covid-19 related health data and location information about employees in a spontaneous, systematic and generalised way. Health data collection should be left to the health authorities or otherwise such collections must be specifically required by law. Employers are encouraged to strictly comply with requests and nationwide initiatives from Italy’s Ministry of Health.  The statement clarifies that employees have a duty to inform their employers of health and safety risks, such as exposure to COVID-19. Employers may invite employees to notify them of exposure. The statement in Italian, is here.


The data protection regulator for the Republic of Ireland, the Data Protection Commission Ireland (DPC Ireland) has issued guidance stating that measures taken to combat COVID-19, including the collection and use of health data should be necessary and proportionate. All decisions should be informed by the guidance and instructions of public health and other relevant authorities. The GDPR should be applied and key GDPR principles of proper legal bases for processing health data, transparency, confidentiality, data minimisation and accountability should be practiced. The guidance presents a number of employment scenarios, as questions and answers. DPC Ireland acknowledges that an organisation’s response to an individual’s data protection rights may be impacted or delayed by COVID-19 and this will be taken into account, but GDPR legal obligations cannot be waived. Where COVID-19 impacts data protection compliance, organisations should communicate with individuals, respond as quickly as possible, reply in stages and maintain clear internal records. The guidance is here.


Spain’s data protection regulator, La Agencia Española de Protección de Datos (AEPD), has published a statement and a report on data protection and COVID-19. AEPD clearly states that data protection rules should not be used as a barrier to respond to COVID-19. The GDPR and local Spanish laws provide the proper legal basis for dealing with these exceptional cases, public interest efforts and activities to protect the vital interests of individuals. Employers should process health data that are necessary to safeguard staff and limit further contagion. The statement is here and the report is here, in Spanish.

United Kingdom

The United Kingdom’s data protection regulator, the Information Commissioner’s Office (ICO), issued a statement asserting that data protection and electronic communications laws do not prevent responding to COVID-19, including the additional collection of personal data for public health reasons.  The ICO says that it is a reasonable and pragmatic regulator who will consider the compelling public interest in the coronavirus health emergency. It offers its website address and helpline number as sources of assistance. The statement is linked to questions and answers with scenarios about employers, employees and health professionals. The statement and questions and answers in English are here.


France’s data protection regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued guidance emphasising that the GDPR applies to health data collection relating to COVID-19. It outlines prohibitions which include employers asking staff and visitors to provide temperature readings every day or to collect health questionnaires from all employees. Systematic and generalised collection of health data is discouraged. Employees are encouraged to inform their employers about their potential COVID-19 exposure and employers can provide reports to public health authorities and set up business continuity plans. Organisations should follow the recommendations of the health authorities and collect data in accordance with their requests and instructions. The guidance is available in French, is here.

United States of America

The United States responds to COVID-19 both on the federal level and on the state level, in each 50 states. City, regional and local-level responses are also evident. Without comprehensive all-sector national or federal-level data privacy laws, the broadest guidances available relate to the Federal Health Insurance Portability and Accountability Act 1996 (HIPAA). The Department for Health and Human Sciences published a Bulletin covering HIPAA and COVID-19 related issues, which is here. The US Centers for Disease Control and Prevention provides up to date general coronavirus updates, advice, health guidance and mitigation strategies, available here.


The National Health Commission of China published a notice, available in chinese here,  on the personal data protection issues in responding to Covid-19. In addition, one of China’s key cybersecurity and data protection bodies, the Cyberspace Administration of China (CAC) published a Circular on “Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” to provide detailed guidance, which is available in chinese, here.


Switzerland’s data protection regulator, the Federal Data Protection and Transparency Officer (PFPDT) has published guidance on the protection of personal data while containing COVID-19. The guidance is available in German, French and Italian.


Belgium’s data protection regulator, Autorité de protection des données, has published guidance on COVID-19. The guidance is available in French, here.

Germany: Baden-Württemberg

The Baden-Württemberg data protection regulator, LfDI Baden-Württemberg published frequently asked questions (FAQs) on data protection compliance and COVID-19. The FAQs are here.

New Zealand

New Zealand’s data protection regulator, the Office of the Privacy Commissioner of New Zealand (OPCNZ) published frequently asked questions (FAQs) on COVID-19. The FAQs are here.


Denmark’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Danish, here.


Iceland’s data protection regulator, Persónu Vernd, has published guidance on COVID-19. The guidance is available in Icelandic, here.


Luxembourg’s data protection regulator, Commission Nationale pour la Protection des Données, has published guidance on COVID-19. The guidance is available in French, here.


Norway’s data protection regulator, Datatilsynet, has published guidance on COVID-19. The guidance is available in Norwegian, here


Poland’s data protection regulator, Urząd Ochrony Danych Osobowych, has published guidance on COVID-19. The guidance is available in Polish, here


The Netherland’s data protection regulator, Autoriteit Persoonsgegevens, has published guidance on COVID-19. The guidance is available in Dutch, here


Hungary’s data protection regulator, Nemzeti Adatvédelmi és Információszabadság Hatóság, has published guidance on COVID-19. The guidance is available in Hungarian, here.


Slovakia’s data protection regulator, Úrad na ochranu osobných údajov Slovenskej republiky, has published guidance on COVID-19. The guidance is available in Slovak, here.


Slovenia’s data protection regulator, Informacijski pooblaščenec, has published guidance on COVID-19. The guidance is available in Slovenian, here.