There are plenty of articles on the importance of ensuring that when working from home, we try to maintain some form of routine. Despite this, it is a different environment and we have to accept that productivity will not be the same. However, it is still important to be as vigilant as ever in relation to data security and making sure that data isn’t misused, misplaced or even lost – Marriott Hotels recently announced it has been hit once more with a significant breach, this time affecting around 5.2m of its guests.

In many instances, organisations in Guernsey and Jersey will make use of secure connections enabling employees to have immediate access to the data necessary to fulfil their duties. However, there are also entities which have had to completely overhaul systems and procedures to allow their employees to work remotely. Whichever category your organisation falls into, working remotely puts a business’ data (including personal data) at greater risk.

In particular it may be harder for the employee or the organisation to know when security is breached, and even harder to identify how it happened. IT departments are already under significant pressure maintaining connectivity, let alone checking for rogue emails, inadvertent disclosure to the “wrong” email address, or monitoring activity logs. Criminals are looking to exploit the Coronavirus situation by sending emails masquerading as government guidance, or as banks pretending to check on their customers. It is therefore more important than ever to be security conscious and reflect on your organisation’s data management policies.

Both the Office of the Data Protection Authority in Guernsey (ODPA) and the Office of the Information Commissioner in Jersey (JOIC) have published guidance reminding controllers and processors of the increased risks associated with working from home. Both list various “common-sense” steps to ensure controllers and processors monitor the risks associated with personal data during these unprecedented times.

Three of the fundamental steps controllers and processors should keep in mind when operating remotely, taking into account the data protection legislation on both islands (DP Law) are:

  • “Make sure staff are aware of, and able to, implement your existing policies surrounding remote-working”.

Since remote working increases the risks associated with personal data, it will be paramount for organisations to show the regulators that they have complied with the DP Law. Follow up with staff reminds them of the core principles and practical examples of good data security. Be tolerant if tasks take longer to complete and enable staff to have access to others within the business to sense-check their decisions.

  • “Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.”

These are usually required where high-risk processing is to be carried out, but they are generally advisable when implementing new technology, services or products. In the current environment, if remote working is new to your organisation, work through a risk assessment and prioritise the higher risk situations. For example, encouraging staff to check addressees before sending emails and/or password protecting attachments.

  • “Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures”.

Under the DP Law, it is important for personal data to be processed in a manner that ensures its security appropriately, which includes protecting it against unlawful or unauthorised processing and against accidental loss, damage or destruction. These measures may include organisational or technical measures such as adopting processes to ensure ongoing confidentiality. Controllers are also expected to regularly test, assess and evaluate the effectiveness of their security measures. Discourage staff from using personal devices where possible, and not to simply forward work to their personal email addresses, for example.

In the event that a breach occurs (for example by data being lost, stolen or an organisation being hacked, it is still very important to notify the ODPA/JOIC of a breach as soon as practicable and to take steps to implement your incident response plan. Whilst the ODPA/JOIC may give you a degree of leeway in the current environment, the criminals will not, so act quickly.

One thing that is clear from the ODPA/JOIC statements is that whilst reassuring local organisations that they are taking a realistic and pragmatic approach to regulation during the Bailiwicks’ ‘lockdowns’, the ODPA/JOIC will still take non-compliance and data breaches seriously. Responding to an incident in these times will be more difficult than usual, so avoidance is still the best defence mechanism.

Share
Twitter LinkedIn Email Save as PDF
Key Contacts

Jeremy Berchem

Office Managing Group Partner*: Guernsey

T +44 (0)1481 755 601
E Email Jeremy

Anthony Williams

Partner: Guernsey

T +44 (0)1481 755 622
E Email Anthony

Stuart Tyler

Partner: Guernsey

T +44 (0)1481 755 606
E Email Stuart

More Publications
13 Aug 2020 |

Special Purpose Acquisition Companies (SPACS) make a comeback

In this global article on SPACs we revisit the basics, then look to each of our key jurisdictions fo...

23 Jul 2020 |

Guernsey approves new discrimination legislation – but the battle continues…

There was much celebration accompanying the approval by the States of Guernsey to introduce discrimi...

20 Jul 2020 |

Listing quoted Eurobonds on The International Stock Exchange

The International Stock Exchange (TISE or the Exchange) provides recognised facilities for the listi...

Contributors: Chris Smedley
30 Jun 2020 |

"Lockdown" or "Time to Break Free"?

Arguably one of the greatest strengths of the human race is our ability to adapt. Few people in our ...

Contributors: Richard Field
23 Jun 2020 |

The International Stock Exchange – The home of UK Real Estate Investment Trusts (REITs)?

Real Estate Investment Trusts (REITs) were introduced in the UK under the Finance Act 2006 on 1 Janu...

Contributors: Chris Smedley
19 Jun 2020 |

Warranty Claims: On time, but too late?

A recent decision in the English High Court highlighted the importance of buyers acting quickly if t...

3 Jun 2020 |

Appleby’s overview of the key benefits of listing high yield bonds on TISE

In the last few years, an increasing number of issuers of high yield bonds have chosen The Internati...

Contributors: Chris Smedley