General Data Protection Regulation and the Regulators’ Cybersecurity Agenda

The Office of the Information Commissioner in Jersey and The Office of the Data Protection Commissioner in Guernsey (which are the independent statutory authorities in the Channel Islands that implement and ensure compliance with the relevant Data Protection legislation in each jurisdiction), announced that the General Data Protection Regulation (officially known as the Directive 95/46/EC or GDPR) has now been published in the Office Journal and local legislation will be implemented across the Islands in May 2018.

The provisions of GDPR, which focuses on giving individuals stronger rights in terms of the way that governments and businesses process their information, will become directly applicable from May 2018. It is also expected that local legislation will come into force at the same time. This will be the largest development seen in the Data Protection regime since the mid-1990s. Although local legislation will be adopted, firms should be aware that GDPR expands the territorial reach to companies that are outside the EU who have EU clients.

The GDPR is being implemented at a time of heightened focus on cybersecurity and although this is yet another regulatory change for firms to implement, there are synergies to be realized with ongoing data protection and cybersecurity efforts. Financial services firms, accustomed to increasing levels of regulation, may therefore be at an advantage compared to non-financial services firms when it comes to the implementation of GDPR arrangements.

What are the likely practical implications?

Amongst the enhancements to the Data Protection Regime, GDPR will implement a number of developments such as a mandatory requirement for breach reporting. Firms will need to adopt internal reporting mechanisms and policies for handling and investigating breaches. In addition, there is a new accountability principle where firms must be able to demonstrate their compliance with GDPR’s principals, including staff training and undertaking audits. Where ‘high risk’ processing will take place, a detailed privacy impact assessment must be undertaken and documented. GDPR provides examples of “high risk” processing, such as large scale processing or profiling activities, and whilst these examples are not exhaustive, it is expected further examples and guidance will be published.

The provisions relating to an individual’s consent will be clearer under the new legislation and, whilst the current provisions state that consent must be given freely by individuals, there will be a requirement for firms to evidence that a positive and firm consent was received. Firms should review how consent is currently sought and recorded.

Under the new regime, individuals will also have the ‘right to be forgotten’ and therefore, in certain circumstances, an individual can require the removal of his/her data. Firms will need to adopt policies and procedures to ensure compliance.

What should businesses be thinking about?

An important consideration is that the recent focus on cybersecurity is not divorced from data protection regulation and there are synergies to be achieved from addressing both cybersecurity and the GDPR regulation. For instance, staff awareness is considered the largest risk for both data protection and cybersecurity and appropriate training and awareness programs are essential to both. The Dear CEO letter issued in February 2016 by the Jersey Financial Services Commission  and the cybersecurity note issued by the Guernsey Financial Services Commission in March 2016 both highlight that cybercrime is high on the regulatory agenda.

A firm’s approach to data security will require ongoing assessments and regular testing and reviewing. GDPR will enhance the Commissioner’s powers in relation to sanctions and a power to fine firms that fail to comply. The GDPR establishes a tiered approach to penalties for breaches with fines up to €20 million (circa £16 million) or 4% of global annual turnover for serious contraventions of the rules. For regulated financial services firms, the reporting of breaches of data protection regulation may be considered reportable to both the regulators (JFSC or
 GFSC) and the Commissioner and the mechanics of such dual reporting are currently being investigated.

We expect the responsibility for data protection compliance to fall firmly with the Board of all organizations and therefore, firms should begin thinking about the role of the Data Protection Officer and where that role sits in the firm’s hierarchy. In addition, Boards should consider receiving regular reporting on the subject and, most certainly as a first step, require GDPR to be added to the firm’s risk register.

In preparation for May 2018, firms should begin assessing their current compliance with the Data Protection legislation and determine an approach to compliance with GDPR, identifying any new requirements and start adopting and developing policies and procedures now.

How Duff & Phelps Can Help

Our team of highly trained professionals offer a broad range of regulatory services including cybersecurity; we can guide you safely through regulatory changes and compliance requirements. Our experienced Compliance and Regulatory Consulting team, based in the Channel Islands and globally, can assist your firm with:

• Undertaking a health-check and gap analysis
• Drafting and reviewing policies and procedures
• Assistance in creating a robust cybersecurity framework, including penetration testing, vulnerability assessments, incident response plans and ongoing advisory services
• Secondment of staff to assist with resourcing, particularly in regard to the Data Protection Officer role
• Delivering staff training on areas including data protection and cybersecurity