Data protection risk at board level

Data Protection risk and liability at Board level in Jersey

Offshore boards have to navigate data protection risk and liability just like any other part of an organisation. If you are working as a non-executive director in Jersey, here are a few things to consider.

Firstly, fairness, transparency, and trust are non-negotiable pillars of every organisation’s governance model. The treatment of personal information is at the core of governance and risk management.

Personal information flows throughout every organisation. Stop and consider for a moment whether the organisation you help to lead can function without it.  We all expect organisations to protect our personal information and use it fairly and respectfully, whether we are a client or a member of staff.  

So, do to others as would be done unto you …

Data Protection legislation helps ensure we all receive appropriate legal protections and remedies in today’s highly digitised world.  We can hold organisations entrusted with our personal information accountable. We can set standards for how organisations use information. And, as a last resort, we have a framework for enforcement if rules are breached.

Data protection for non-executive directors

Next, consider how you can hold the executive to account.  How do you stress test the effectiveness of data protection policies and procedures embedded in the organisation?  What is your risk appetite? Consider the impact any regulatory action could have on you and the organisation, including the impact of any fines?

While good data protection regulation should promote economic growth, its primary purpose is to recognise that privacy is a fundamental human right, under increasing threat.  Rapidly advancing technology has transformed privacy risks exponentially.  The Jersey Office of the Information Commissioner (JOIC) can help you understand your obligations under the Data Protection (Jersey) Law 2018 (DPJL) and how it helps you maintain client and staff trust.

The DPJL places direct obligations relating to the processing of personal information on business and organisations. As a result, this makes it easier for executive and non-executive directors to navigate data protection risks and liabilities.

Handling information correctly

Then, consider the processes. The DPJL is based around six principles of ‘good information handling’.  These principles place certain obligations on organisations responsible for processing personal data and set standards for handing it.  The DPJL states that an organisation can only process personal information if it meets certain conditions. For instance, you must process personal information fairly, for a specified and legitimate purpose, limited to what you need.  You must therefore not keep personal information longer than needed.

In a recent survey undertaken by the JOIC, 82% of our 381 respondents felt it was important for organisations to keep personal information safe and secure.

As a 21st century NED you have independent oversight and should constructively challenge executive directors and hold management to account.  Data protection is a fundamental part of the risk management landscape, and the Data Protection (Jersey) Law 2018 is part of your statutory duties as a NED. You are responsible for governance and accordingly your organisation’s compliance with its terms.

Board room support sessions

Finally, there is help out there.

The JOIC is offering a limited number of Board Room Support Sessions to help boards and NEDs navigate the data protection landscape. We will share best practice, helping you understand data protection risks and responsibilities for the board and for management.

We are therefore reaching out to offer support for you and your board for all matters relating to data protection.  Our support includes practical guidance and tools to help you stress test how your organisation deals with data protection matters. And, to help you discover the impact this has on the board. In addition, these transferrable tips will help in all walks of life.

This is an opportunity to work with experts in a safe space where you can test the data protection practices in your organisation, and identify risks in advance.

Our support is confidential and non-adversarial above all. However, as we are charged with regulating the Data Protection (Jersey) Law 2018, our duty is to act if we identify non-compliance.

For more information on data protection in Jersey, see the Jersey Office of the Information Commissioner.

Article by Anne King, Communications and Operations Manager, JOIC.

To book your Board Room Support Session and find out more about data protection risk and liability for boards, please contact

“While good data protection regulation should promote economic growth, its primary purpose is to recognise that privacy is a fundamental human right, under increasing threat.”

Anne King

Read more

Other related posts