There are plenty of articles on the importance of ensuring that when working from home, we try to maintain some form of routine. Despite this, it is a different environment and we have to accept that productivity will not be the same. However, it is still important to be as vigilant as ever in relation to data security and making sure that data isn’t misused, misplaced or even lost – Marriott Hotels recently announced it has been hit once more with a significant breach, this time affecting around 5.2m of its guests.

In many instances, organisations in Guernsey and Jersey will make use of secure connections enabling employees to have immediate access to the data necessary to fulfil their duties. However, there are also entities which have had to completely overhaul systems and procedures to allow their employees to work remotely. Whichever category your organisation falls into, working remotely puts a business’ data (including personal data) at greater risk.

In particular it may be harder for the employee or the organisation to know when security is breached, and even harder to identify how it happened. IT departments are already under significant pressure maintaining connectivity, let alone checking for rogue emails, inadvertent disclosure to the “wrong” email address, or monitoring activity logs. Criminals are looking to exploit the Coronavirus situation by sending emails masquerading as government guidance, or as banks pretending to check on their customers. It is therefore more important than ever to be security conscious and reflect on your organisation’s data management policies.

Both the Office of the Data Protection Authority in Guernsey (ODPA) and the Office of the Information Commissioner in Jersey (JOIC) have published guidance reminding controllers and processors of the increased risks associated with working from home. Both list various “common-sense” steps to ensure controllers and processors monitor the risks associated with personal data during these unprecedented times.

Three of the fundamental steps controllers and processors should keep in mind when operating remotely, taking into account the data protection legislation on both islands (DP Law) are:

  • “Make sure staff are aware of, and able to, implement your existing policies surrounding remote-working”.

Since remote working increases the risks associated with personal data, it will be paramount for organisations to show the regulators that they have complied with the DP Law. Follow up with staff reminds them of the core principles and practical examples of good data security. Be tolerant if tasks take longer to complete and enable staff to have access to others within the business to sense-check their decisions.

  • “Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.”

These are usually required where high-risk processing is to be carried out, but they are generally advisable when implementing new technology, services or products. In the current environment, if remote working is new to your organisation, work through a risk assessment and prioritise the higher risk situations. For example, encouraging staff to check addressees before sending emails and/or password protecting attachments.

  • “Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures”.

Under the DP Law, it is important for personal data to be processed in a manner that ensures its security appropriately, which includes protecting it against unlawful or unauthorised processing and against accidental loss, damage or destruction. These measures may include organisational or technical measures such as adopting processes to ensure ongoing confidentiality. Controllers are also expected to regularly test, assess and evaluate the effectiveness of their security measures. Discourage staff from using personal devices where possible, and not to simply forward work to their personal email addresses, for example.

In the event that a breach occurs (for example by data being lost, stolen or an organisation being hacked, it is still very important to notify the ODPA/JOIC of a breach as soon as practicable and to take steps to implement your incident response plan. Whilst the ODPA/JOIC may give you a degree of leeway in the current environment, the criminals will not, so act quickly.

One thing that is clear from the ODPA/JOIC statements is that whilst reassuring local organisations that they are taking a realistic and pragmatic approach to regulation during the Bailiwicks’ ‘lockdowns’, the ODPA/JOIC will still take non-compliance and data breaches seriously. Responding to an incident in these times will be more difficult than usual, so avoidance is still the best defence mechanism.

Key Contacts

Jeremy Berchem

Group Partner*: Guernsey

T +44 (0)1481 755 601
E Email Jeremy

Anthony Williams

Partner: Guernsey

T +44 (0)1481 755 622
E Email Anthony

Stuart Tyler

Partner: Guernsey

T +44 (0)1481 755 606
E Email Stuart

Twitter LinkedIn Email Save as PDF
More Publications
10 Jan 2024

The Global – your offshore corporate law questions answered

The Global is Appleby’s quarterly collection of expert insights and analysis on the latest develop...

20 Mar 2023

Trusts: Comparison between the Crown Dependencies

Our Private Client and Trusts specialists in Guernsey, Isle of Man and Jersey outline some of the ke...

19 Jan 2023

The Edinburgh Reforms: An Offshore Perspective

On 9 December 2022, the UK Chancellor of the Exchequer announced a package of reforms to the UK fina...

27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

1 Jul 2021

Saunders v Vautier where the beneficial class is not closed - the debate goes on...

The Saunders v Vautier rule is familiar territory for trust lawyers. In the modern world it is unde...

12 Mar 2021

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...