15 May 2017

Carey Olsen conference tells businesses 'the time to prepare for GDPR is now'

The central message of Carey Olsen's Jersey data protection and cybersecurity conference “Countdown to Chaos?” was that preparation for the new EU General Data Protection Regulation should begin now.

It was stressed that businesses, government and the charitable sector must be ready for the introduction of the EU General Data Protection Regulation (GDPR) next May and that the Government was working to prepare new data protection legislation that will provide equivalent protection to that provided in the EU.

Carey Olsen counsel Huw Thomas outlined the potential sanctions for serious breaches of the new regime, which could amount to up to €20 million or four per cent of annual turnover (whichever is the greater). 

Mr Thomas said that "Businesses would need to undergo an audit and risk assessment process in order to plan for the new data protection requirements and that responsibility for process and governance sits with the board of directors and not the IT department. Plans need to encompass the technical, regulatory, legal and training requirements arising from the new provisions."

Matthew Berry, from the Law Officers’ Department who is advising the Jersey Government on the development of the legislation said that Jersey is already recognised internationally as providing a high level of protection for personal data.  In particular, Jersey has an "adequacy" decision from the EU Commission, which enables personal data to be transferred freely from the EU to Jersey.  He said that the Government of Jersey is ahead of many other jurisdictions in its preparations for GDPR. In particular, the Government has already engaged with the EU Commission and is confident that it is on course to maintain Jersey’s adequacy decision. He also emphasised that Jersey is working closely with Guernsey in view of the Channel Islands’ intention to continue to share a regulator.

Data Protection Commissioner Emma Martins also emphasised that businesses should start planning now: “Don’t start thinking about it when it comes into force. Get a breach response plan in place today.”

Three of the Business Continuity Institute’s top 10 threats to business fell within the cyber security area, Ms Martins said.

She also emphasised that privacy concerns impacted everyone, not just those in business, and that we should all take our own privacy (and that of our families) far more seriously.

A key message reiterated by the speakers was that the GDPR would require appropriate technical and organisational measures to ensure and demonstrate that data processing is performed securely. Many organisations will need (or be well advised) to hire a Data Protection Officer (DPO); however, appropriately-qualified and experienced people are currently a rare resource.

Carey Olsen counsel Richard Field reinforced the importance of having a DPO (or equivalent), who would be charged with ensuring GDPR compliance and training staff on information security issues and said: "Boards need to embed a culture where personal data is treated as a valuable and protected asset".

He added that DPOs will require expert knowledge of data protection laws and practices and they will need to be involved early and in all privacy-related matters. They will also need to have appropriate resources to enable them to fulfil their role and to ensure that there are no conflicts of interest, should they have other functions within the business.

Matt Thornton, Guernsey director of processes and platforms at C5 Alliance said: "more than 2.6bn breaches of information occurred in 2016 and that’s only scratching the surface as big breaches are often completely undetected or unreported".

He explained that staff are the cause of the majority of breaches, meaning that technological solutions can provide a limited amount of protection and that it is essential that such solutions are combined with robust and up-to-date training. Sharing information with colleagues and taking information out of the office are still common practices, with employees often failing to understand their duties and obligations regarding data security.

Carey Olsen partner William Grace closed the conference emphasising "that cybersecurity is the biggest operational risk facing the finance industry in Jersey in terms of potential disruption.  As such it will likely become a priority issue for the JFSC but businesses should systematically address the specific risks in their businesses now and not wait for regulation.  It is a necessary requirement of Jersey's premium branded offering that it is matched by its cyber security standards in order to meet customer expectations."