Data Protection: Firms warned about inevitable data breaches
DATA Protection Week 2019 got under way with a stark warning that every organisation will at some point suffer a data breach.
The Jersey Opera House was the venue for the opening conference, which was organised by the Jersey Data Protection Association, the Office of the Information Commissioner and the States of Jersey and sponsored by PwC.
Advocate Davida Blackmore, a partner at Callington Chambers, said: ‘I think it’s highly recognised that data breaches are inevitable and every organisation will suffer a breach at some point. It might be a big breach, or it might be very small, but organisations need to recognise that and plan accordingly.’
Advocate Blackmore also said there had been a lot of misinformation around last year in the run up to the 25 May General Data Protection Regulation (GDPR) deadline, when the new EU legislation came into effect, and that resulted in some businesses unnecessarily decimating their marketing databases by emailing to ask for consent.
‘They were being told that the only way they could process, for example, marketing information was with consent, and that’s obviously not correct because there are a number of legal bases in the law under which you can process data,’ she said.
‘So it’s for that organisation to look at those bases and think, “OK, this is the information I have, this is the legal basis that I’ve got to hold it, either I’m going to go out and get consent from everybody so I know where I am, or I’m going to say actually I’ve got a legitimate reason for having this name and address because I want to send them information’’. But always bear in mind that the individual has the right to take their information off that list.’
Brexit is also posing issues when it comes to data control. Jersey has had adequacy status with the EU since 2008, which means it is a trusted jurisdiction and data can easily flow between the Island and EU member states.
The UK does not have this status and the potential of a no-deal Brexit could have caused a major problem, according to Stephanie Peat, director of digital and telecoms for the States.
‘Potentially Jersey businesses would be in the position of having to put in additional safeguards,’ she said, ‘as they would to other non-adequate third-party country jurisdictions. But we recognised, as a government, the amount of data that flows to and from the UK and the significance of it to the economy.’
There will be an amendment to the data protection laws debated in February, to allow the continuance of the UK data relationship.
Huw Thomas, counsel at Carey Olsen and vice-chairman of the Jersey Data Protection Association, warned that if directors and boards did not understand technology and the privacy risks that came from it, they were endangering their business.
He added that it was the people in senior management who could be the biggest risk, because they had the authority to override rules, the knowledge of systems and a wide range of information and could therefore engage in ‘high impact’ misconduct.
Non-executive directors should also be thinking about what they do with board packs, notes on employees and clients, and those non-execs with multiple boards should be careful not to mix different organisations’ data.
All the experts stressed the need to have a comprehensive plan in place well ahead of any potential data breach which should not only be clear and easy to understand, but also tested. That plan should not be stored on companies’ systems, because if they were shut down, they would be locked out of it and potentially have handed an action plan to an external attacker.
For further information visit oicjersey.org and jdpa.org.je.
Sorry, we are not accepting comments on this article.