Is Data Protection on your Board Radar?
It is now over two years since the Data Protection (Jersey) Law 2018 came into force, (although it is of course worth remembering that its predecessor had been around since 1987). For a couple of years before the 2018 Law came into force there was lots of discussion at board meetings about the potential penalties and the May 25th 2018 deadline, but I suspect data protection may well have fallen off a few radars since then. Especially as more recently there has been the battle for business to survive the impacts of Covid19.
We have recently heard about the major data breach on Twitter and have seen a real live example of the problems this can bring for a company, not just in terms of breaching a law where there are some very substantial penalties, but just as important the huge reputational damage. Indeed, few days seem to go by without a big media story about one major data breach or another.
All this goes alongside our growing need to use data and digital tools for the many advantages that their proper use can bring. Not just from being more efficient and therefore saving money, but also from really understanding what customers want, so we can give it to them, and of course make some money doing that.
I like to think about Data Protection like Health & Safety legislation, although we are very often reminded about the severe legal penalties if we break these laws. Much more important for me are the other consequences of breaking rules that usually just codify good practice. For health & safety it could be a permanent injury or even a loss of life. With data protection it will be unusual for a life to be put at risk but it can happen. More likely, is that a data breach can cost a huge amount of money, loss of trust in your brand and therefore long-term damage to the value of your business, or worse. At the end of the day, the penalties are just there to incentivise us to do what we should be doing anyway.
Running businesses responsibly and taking account of the interests of all our stakeholders. Good data protection should really just be part of our culture; the way we do things round here, not a department.
Non-executive directors clearly have an important part to play in making sure management doesn’t forget the principles as well as the law. They have every incentive to do so because at the end of the day they can also have personal liability, check out articles 71-74 of the Data Protection (Jersey) Law, if you have not done so for a while. The penalties can be eye watering and personal bank account emptying!
More proactively all directors should make sure data protection makes a regular appearance on board agendas, that there is complete clarity on who takes day to day responsibility for such important obligations, the plan should a breach occur and how breaches are dealt with, when they happen. Although a breach brings the reality and urgency to the issue, my advice would be don’t wait for that happen. Get some time reserved on the next board meeting agenda and ask for the key data protection risks and mitigations to be identified as a specific exercise, if you haven't done so already.
Sitting down to think about and write this article has made me realise that I have not done this enough, it is not new that the urgent has a way of crowding out the important. Remember it is not just the prospect of severe penalties for the organisation and potentially the board; it is also the company’s reputation for caring for what these days is often a major asset class. Personal Data.
One last thing. The team at the Commissioner's Office are a very helpful bunch of people. On one rather tricky issue, I had a need to consult them, about a breach an organisation I was involved with almost made. The advice they gave was very helpful, pragmatic and of course free. I get the impression they would much prefer to help organisations practice good data protection than have to use their extensive powers to enforce it. Which is exactly as it should be.
“The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official position of the Jersey Data Protection Authority (including the Jersey Office of the Information Commissioner) (the "Authority"). The Authority is not responsible for the accuracy of any of the information supplied by the guest writer/bloggers and the Authority accepts no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.”