19 April 2017

Data Protection Officers, a valuable commodity, Carey Olsen conference told

People are the biggest risk when it comes to data protection breaches, a Carey Olsen data protection and cyber security conference was told.

When the EU’s General Data Protection Regulation (GDPR) and the corresponding Guernsey law come into force in May 2018, the role of the Data Protection Officer (DPO) will be paramount. Even if businesses are not obligated by the GDPR to appoint a DPO, it will be good practice to have someone primarily responsible for information security.

Matt Thornton, Guernsey director of professional services at C5 Alliance, said that staff were the cause of the majority of breaches. Technological solutions could only go so far and solid training was a necessity.

“The weakest link in everything when it comes to security is the humans at the end of the keyboard and tablet,” he said.

Mr Thornton said that passwords were often “flimsy at best” and routines such as password change rules may be counter-productive as users become resistant and lazy, for example using password1, password2 etc. The key is the appropriate use of control mechanisms.

Sharing information with colleagues and taking information out of the office were common yet careless practices and employees often failed to understand their duties and obligations regarding security. Organisation-wide awareness is a requirement.

“It is too easy to assume that something that sounds complicated is a problem for IT,” he said.

The coming regulations would require “appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed securely”. It was likely that business organisations of a certain size would need to hire a DPO and appropriately-qualified and experienced people are quickly becoming a rare commodity. DPOs will need expert knowledge of data protection laws and practices. They will need to be involved early and in all privacy-related matters and will be bound by confidentiality. They will need to have appropriate resources to enable them to fulfil their role and conflicts of interest will not be permitted.They will have an advisory role and will be responsible for risk assessment, the monitoring of legislation and policies and training of staff.

Richard Field, counsel to the dispute resolution and regulatory team at Carey Olsen and co-author of The Channel Islands Guide to the GDPR, said it would be difficult to find DPOs with a sufficient level of expertise but it would be incumbent on boards of directors to ensure that this challenge was taken seriously; the alternative could be to face “proportionate and dissuasive” fines.

“They (DPOs) have to be independent, so they can’t be the head of IT or the head of compliance, for example. There will be a scarcity of appropriately qualified and experienced individuals, although it will be acceptable to have a group DPO or outsource the role, which may alleviate some of the pressure.” he said.

Other speakers at the over-subscribed conference were Callie Loveridge-Newey, States of Guernsey lead officer for data protection governance, Data Protection Commissioner Emma Martins and Phil Hunkin, from the financial investigation unit of the Guernsey Border Agency.

The EU’s GDPR will be enforced from May 2018. Work has begun on drafting a Guernsey law which will be broadly equivalent to GDPR and is designed to maintain Guernsey’s current adequacy status, allowing data flows between the island and Europe.

It was acknowledged that Guernsey is ahead of competitor jurisdictions in proactively preparing for GDPR.

Mr Field said: “We have an experienced team and are happy to work with businesses to prepare for May 2018, including advising on specific policies, documents or procedures, and putting them in touch with other providers if the issue requires a technology solution. As a member of the States Industry Working Party I’m also keen to hear of any issues or feedback so we can take these into account and feed them back to Government.”