• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Coronavirus/COVID-19: Technology Solutions checklist

31 March 2020
To help companies which are developing technology solutions to help predict, mitigate or contain the spread of COVID-19, we have compiled a checklist of points to consider.  

Part 1: Data Protection

Have data protection risks been identified and managed?

  • Will the solution collect and use personal data?  Note that the definition of 'personal data' under the GDPR and the UK Data Protection Act 2018 (DPA) includes identification numbers, location data and online identifiers, if the individual to which they relate can be identified, directly or indirectly.
  • Will you be processing personal data on behalf of a third party? What are your statutory and contractual requirements?  Remember that processors, as well as controllers, have legal obligations under the GDPR, which includes a requirement for mandatory contract provisions.
  • Do you provide data subjects with an appropriate privacy notice, which clearly sets out how you will use their personal data?
  • Have you identified the appropriate legal basis for each proposed data processing activity? 
  • If you are relying on consent, are you confident that it complies with GDPR's requirements?  Remember that:

- if you rely on consent as the lawful basis for processing 'special category data', which includes health data, the consent must be 'explicit'; and
- consent is not the only lawful basis on which you can process personal data.

  • Have you put in place appropriate security controls to restrict access to and use of personal information?  While the ICO has published FAQs about personal data and coronavirus, which stress that data protection is not a barrier to addressing the risks caused by COVID-19, it is likely to take a strict approach to anyone who commercially exploits personal data obtained in relation to COVID-19.
  • Will you transfer personal data outside the UK?  Are those transfers compliant with the GDPR? Do you need to put a safeguard in place?  Have you considered whether a Data Protection Impact Assessment (DPIA) is needed? 

If you have any questions regarding the development and deployment of technology products and services in connection with coronavirus/COVID-19, please contact Ruby Khan or Ben McLeod. For additional guidance, please visit our COVID-19 hub.

Further Reading

We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

Manage cookies

Your Privacy

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

Functional cookies


These cookies let you use the website and are required for the website to function as expected.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.