• AE
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Coronavirus/COVID-19: Technology Solutions checklist

31 March 2020
To help companies which are developing technology solutions to help predict, mitigate or contain the spread of COVID-19, we have compiled a checklist of points to consider.  

Part 1: Data Protection

Have data protection risks been identified and managed?

  • Will the solution collect and use personal data?  Note that the definition of 'personal data' under the GDPR and the UK Data Protection Act 2018 (DPA) includes identification numbers, location data and online identifiers, if the individual to which they relate can be identified, directly or indirectly.
  • Will you be processing personal data on behalf of a third party? What are your statutory and contractual requirements?  Remember that processors, as well as controllers, have legal obligations under the GDPR, which includes a requirement for mandatory contract provisions.
  • Do you provide data subjects with an appropriate privacy notice, which clearly sets out how you will use their personal data?
  • Have you identified the appropriate legal basis for each proposed data processing activity? 
  • If you are relying on consent, are you confident that it complies with GDPR's requirements?  Remember that:

- if you rely on consent as the lawful basis for processing 'special category data', which includes health data, the consent must be 'explicit'; and
- consent is not the only lawful basis on which you can process personal data.

  • Have you put in place appropriate security controls to restrict access to and use of personal information?  While the ICO has published FAQs about personal data and coronavirus, which stress that data protection is not a barrier to addressing the risks caused by COVID-19, it is likely to take a strict approach to anyone who commercially exploits personal data obtained in relation to COVID-19.
  • Will you transfer personal data outside the UK?  Are those transfers compliant with the GDPR? Do you need to put a safeguard in place?  Have you considered whether a Data Protection Impact Assessment (DPIA) is needed? 

If you have any questions regarding the development and deployment of technology products and services in connection with coronavirus/COVID-19, please contact Ruby Khan or Ben McLeod. For additional guidance, please visit our COVID-19 hub.

Further Reading