There are plenty of articles on the importance of ensuring that when working from home, we try to maintain some form of routine. Despite this, it is a different environment and we have to accept that productivity will not be the same. However, it is still important to be as vigilant as ever in relation to data security and making sure that data isn’t misused, misplaced or even lost – Marriott Hotels recently announced it has been hit once more with a significant breach, this time affecting around 5.2m of its guests.

In many instances, organisations in Guernsey and Jersey will make use of secure connections enabling employees to have immediate access to the data necessary to fulfil their duties. However, there are also entities which have had to completely overhaul systems and procedures to allow their employees to work remotely. Whichever category your organisation falls into, working remotely puts a business’ data (including personal data) at greater risk.

In particular it may be harder for the employee or the organisation to know when security is breached, and even harder to identify how it happened. IT departments are already under significant pressure maintaining connectivity, let alone checking for rogue emails, inadvertent disclosure to the “wrong” email address, or monitoring activity logs. Criminals are looking to exploit the Coronavirus situation by sending emails masquerading as government guidance, or as banks pretending to check on their customers. It is therefore more important than ever to be security conscious and reflect on your organisation’s data management policies.

Both the Office of the Data Protection Authority in Guernsey (ODPA) and the Office of the Information Commissioner in Jersey (JOIC) have published guidance reminding controllers and processors of the increased risks associated with working from home. Both list various “common-sense” steps to ensure controllers and processors monitor the risks associated with personal data during these unprecedented times.

Three of the fundamental steps controllers and processors should keep in mind when operating remotely, taking into account the data protection legislation on both islands (DP Law) are:

  • “Make sure staff are aware of, and able to, implement your existing policies surrounding remote-working”.

Since remote working increases the risks associated with personal data, it will be paramount for organisations to show the regulators that they have complied with the DP Law. Follow up with staff reminds them of the core principles and practical examples of good data security. Be tolerant if tasks take longer to complete and enable staff to have access to others within the business to sense-check their decisions.

  • “Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.”

These are usually required where high-risk processing is to be carried out, but they are generally advisable when implementing new technology, services or products. In the current environment, if remote working is new to your organisation, work through a risk assessment and prioritise the higher risk situations. For example, encouraging staff to check addressees before sending emails and/or password protecting attachments.

  • “Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures”.

Under the DP Law, it is important for personal data to be processed in a manner that ensures its security appropriately, which includes protecting it against unlawful or unauthorised processing and against accidental loss, damage or destruction. These measures may include organisational or technical measures such as adopting processes to ensure ongoing confidentiality. Controllers are also expected to regularly test, assess and evaluate the effectiveness of their security measures. Discourage staff from using personal devices where possible, and not to simply forward work to their personal email addresses, for example.

In the event that a breach occurs (for example by data being lost, stolen or an organisation being hacked, it is still very important to notify the ODPA/JOIC of a breach as soon as practicable and to take steps to implement your incident response plan. Whilst the ODPA/JOIC may give you a degree of leeway in the current environment, the criminals will not, so act quickly.

One thing that is clear from the ODPA/JOIC statements is that whilst reassuring local organisations that they are taking a realistic and pragmatic approach to regulation during the Bailiwicks’ ‘lockdowns’, the ODPA/JOIC will still take non-compliance and data breaches seriously. Responding to an incident in these times will be more difficult than usual, so avoidance is still the best defence mechanism.

Twitter LinkedIn Email Save as PDF
Key Contacts

Jeremy Berchem

Office Managing Group Partner*: Guernsey

T +44 (0)1481 755 601
E Email Jeremy

Anthony Williams

Partner: Guernsey

T +44 (0)1481 755 622
E Email Anthony

Stuart Tyler

Partner: Guernsey

T +44 (0)1481 755 606
E Email Stuart

More Publications
13 Mar 2020 |

Appleby contributes five chapters to Global Legal Insights – Fund Finance 2020

Appleby provided five chapters to the Global Legal Insights - Fund Finance 2020 Guide. The publicati...

31 Jan 2020 |

Brexit Day has arrived: What does that mean for Jersey, Guernsey and the Isle of Man?

Brexit Day has arrived, and at 11 o’clock this evening the UK’s EU membership will come to an en...

11 Dec 2019 |

Channel Islands: Year in Review

2019 has been an interesting year for the Channel Islands, to say the least. Global macro-economic ...

Contributors: Jeremy Berchem
7 Nov 2019 |

The Inequality of Equality Legislation in the Channel Islands

This summer Guernsey launched its public consultation in relation to proposals to introduce a compre...

9 Oct 2019 |

Transparency and the Crown Dependencies

Transparency of beneficial ownership information has been a political issue since June 2013 when Bri...

18 Sep 2019 |

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Contributors: Huiyan Liew
28 Jun 2019 |

Internal Investigations - Evidence for the Prosecution

Sophisticated organisations are frequently required to undertake internal investigations. These can ...

Contributors: Anthony Williams
26 Jun 2019 |

Regulatory Headwinds

Faced with increased scrutiny from regulators on both global and jurisdictional levels, businesses m...

Contributors: David Dorgan
19 Jun 2019 |

Beneficial Ownership Update: Crown Dependencies

The Crown Dependencies (Jersey, Guernsey and the Isle of Man) have announced a joint policy commitme...

Contributors: Caren Pegg
21 May 2019 |

Royal Court of Jersey Directs the Winding up of an Insolvent Trust

The Royal Court of Jersey has recently handed down an important decision in relation to the winding ...

Contributors: Amy Benest