Busting Data Protection Myths Part 1

Being informed about our data protection laws also involves being able to distinguish valid information about them from misinformation. It is important to avoid succumbing to the many myths currently in circulation. These myths include what the laws entail, whom they cover, and how long they have been in place. Many people believe these myths to be true. They have misled individuals to disclose information when they should not, and to refuse to disclose when they should. Some organisations have incurred unnecessary expenses acting on incorrect information about the laws. Therefore, there is great value to dispelling these myths.

Data Protection is a Recent Innovation

One common myth is that data protection only became a legal requirement with the promulgation of the new GDPR-based law in 2018. In fact, Jersey has had a data protection law for more than 30 years. The Data Protection (Jersey) Law 2018 (the 2018 Law) included some new provisions, but most of the fundamental requirements for data protection were already included in the 2005 law. These included the general rules around the collection, use and disclosure of personal data, as well as the individual rights to request access to and correction of personal data. Most of the changes in the 2018 law relate to the establishment of the Jersey Data Protection Authority (the Authority) whose day-to-day functions are carried out by the Jersey Office of the Information Commissioner and giving it sufficient powers to enforce the law. From the viewpoint of public authorities and private businesses, very has little changed, other than there being even more incentive to comply with the existing requirements. As long as these organisations have already been complying with the previously law, they should not have had to incur any significant new costs or administrative burden in order to comply with data protection requirements.

In addition to the requirements to comply with the rules regarding the fair processing of personal data, controllers and processors must also register with the Authority. Again, this is not a new requirement. The Commissioner (in its previous forms) has administered a registry of data controllers since 1987. Some organisations are exempt from paying a registration fee and some do not have to register at all. Another common myth is that organisations that do not have to register do not have to comply with the other requirements of the 2018 Law. There are some unregistered controllers and processors that are resistant to registering for fear of incurring general compliance costs. In truth, the issues of complying with the processing rules and registration are entirely separate. Controllers of personal data have always been required to comply with the processing rules, which have been in place prior to 2018.

Is data protection bad for business?

One of the biggest myths is that data protection is bad for business: the costs of compliance are onerous and provide no benefits. On the contrary, personal data is an asset with increasing monetary value. It is subject to being lost or stolen, entailing considerable short-term and long-term costs. The short-term costs involve the time and money spent to clean up after a breach. There is also the question of financial liability to the data subjects affected, as well as court costs. The long-term costs are loss of client confidence resulting in loss of business. Our data protection laws implement a common sense approach to good data stewardship that reduces the risk of data breaches and minimises the costs of recovering from them. Data protection should be an integral component of organisational risk management, irrespective of the existence of data protection laws. There is nothing onerous about a requirement to provide adequate security for valuable assets. It is good business practice to collect only the data an organisation truly needs, to use it only for the purpose collected, and to destroy it after it is no longer required. Data protection is a sound business investment comparable to a prudent insurance policy.

A good data protection regime can attract new clients for individual businesses and the entire community. An internationally recognised data protection enforcement framework (strong laws and an effective regulator) can better facilitate cross border data transfers. The extensive publicity in recent years that data breaches have received has made the public sceptical about sharing their personal data. Businesses that develop reputations for sound data protection practices gain an edge in the marketplace against their competitors. Trust and confidence are essential for business success, particularly in the digital economy. Data protection instils confidence and create opportunities for businesses that use personal data.  In summary, data protection is actually good for business in many ways.

*JOIC welcomes suggestions for future blog topics. Have you got a suggestion? Please email events@jerseyoic.org