5 ‘MUST DO’ Data Storage Imperatives

Data is your Business Capital – Keep it Safe

Companies in the Channel Islands and the Isle of Man (CIIOM) are uniquely placed to offer business services to customers locally, in mainland Europe, and the UK - as we benefit from a less stringent approach to data handling and privacy than other locations.

Whilst this may seem beneficial to companies seeking to store data in a cost-effective manner, security remains paramount for all, and our growing importance as an international finance centre makes it especially important to those operating in the fiduciary and banking sectors.

For many CIIOM stakeholders, the data protection laws in our islands mean that information held here is extremely secure and protected, and the lack of a ‘snooper’s charter’ gives organisations greater control over their stored data. Smart companies ensure their systems benefit from the highest levels of security and storage, with any security breaches dealt with quickly and efficiently - as the need to protect reputation and customer trust is vital.

Meeting and exceeding regulatory compliance and protection creates a solid foundation on which to operate, and the five main data storage imperatives are:

Data Protection Law
The law requires the processing of personal data in a fair, lawful, and transparent manner, ensuring data is collected and stored securely, and that individuals have the right to access, rectify, and erase their data as and when required. It applies to any organisation that processes personal data, including public authorities, businesses, charities, and other organisations. Data must be used for specific, legitimate purposes and kept accurate and up-to-date. Organisations must ensure that data is not kept for longer than is necessary, and that individuals have the right to object to the processing of their personal data.

Cyber Security
Jersey and Guernsey regulations require copies of data to be held both online and offline, and the Cyber Security Directive makes organisations duty bound to take appropriate measures to protect their systems, networks, and data from cyber threats. Appropriate technical and organisational measures must be in place to protect data, and to prevent and respond effectively to any cyber breach.

This includes the implementation of risk management measures, such as the assessment and identification of risks, and the implementation of appropriate security. The directive includes the implementation of measures to prevent and mitigate the impact of cyber-attacks, and to detect, report, and respond to attacks. Organisations must ensure the on-going security, confidentiality, integrity, and availability of their networks and systems.

Data Retention
Organisations are required to retain certain types of data for a specified period of time. This includes communications data, such as the time, date, duration, origin, and destination of a communication, as well as the type and means of the communication. Data must be retained for a minimum period of 12 months, although this period can be extended to 24 months in certain circumstances. Data must be stored securely and be accessible, if required by law, to the relevant authorities upon request. Stored data must be accurate, up to date, and relevant; and retained data must not be used for any purpose other than that for which it was originally collected, nor should it be disclosed to any third party without explicit consent.

Data Breach Notification
Organisations must notify the relevant supervisory authorities of any data breaches that occur within 72 hours of becoming aware of the breach. The notification must include details of the breach, details of the personal data affected, the number of people affected, the measures taken to mitigate the breach, and the contact details of the data controller. In most cases, the individuals affected must be notified. Organisations must keep records of all data breaches for at least two years, including the date and nature of the breach, the personal data affected, and the measures taken to mitigate it. Failure to adequately comply with data breach notification law can result in legal action.

General Data Protection Regulation - GDPR
This applies to organisations processing the personal data of individuals in the European Economic Area (EEA), and requires appropriate technical and organisational measures are in place to protect personal data. Organisations must comply with GDPR requirements for the storage, processing, and transfer of personal data - protecting it from unauthorised or unlawful processing, accidental loss, and destruction or damage. Personal data must only be stored for as long as is required for the purpose for which it was collected, and not transferred to countries outside the EEA, unless that country has adequate levels of data protection. Organisations must also provide individuals with information about how their personal data is used.

It’s not worth the risk

Ensuring compliance with data storage legislation protects against the risk of legal action by the supervisory authorities, and robust security and storage credentials are promoted by organisations to build customer confidence and trust. Highly effective security and storage measures protect against financial loss and damage to reputation caused by security breaches.

Menacing threats from cyberspace are increasingly sophisticated – and robust storage is needed to protect and mitigate against theft and damage to company information. Our immutable storage solutions first encrypt and then store data in a totally secure format – using a ‘write once read many’ approach, meaning it cannot be damaged, modified or tampered with in any way.