News
Print Article

No.3 - RISQED -: Data Protection: Two regulators want you to show your risk approach

05/07/2026

Introduction+

This is part 3 of 5 in a series on risk management for Jersey-registered persons.  

  • This piece covers data protection specifically. It's the one part of the series that applies whether you're JFSC-regulated but shows how RISQED can help
  • Everything in Parts 1 and 2 of this series was triggered by something the JFSC published.
    • This part is different, deliberately.
  • The obligation covered here exists independently of JFSC regulation (albeit it is an inherent risk for all Registered firms and therefore falls within the code's requirement to manage ALL risks).
  • It applies to any business in Jersey that holds personal data, whether or not it is a financial services firm.

The law requires an assessment before you process, not after an issue arises.

  • Under Article 16 of the Data Protection (Jersey) Law 2018:
    • "Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, a controller must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data before the processing."
  • That's the Data Protection Impact Assessment (DPIA), and it's mandatory, not best practice, wherever high-risk processing is involved.
  • The law is specific about what has to be in it.
    • A DPIA must include a systematic description of the processing and its purpose, an assessment of whether the processing is necessary and proportionate to that purpose, an assessment of the risk to individuals, and the measures put in place to address that risk.
    • If, after those measures, the residual risk is still high, Article 17 requires the controller to consult the Jersey Office of the Information Commissioner (JOIC) before processing begins at all, not after.
  • Read structurally, that's the same shape as everything else in this series:
    • A risk position before mitigation, the controls applied, and a residual position that determines what happens next.
  • The law doesn't use that language; this is our reading of the statute's structure, not JOIC's framing of it, but the underlying logic holds regardless of which risk category you're assessing.

This isn't a regulated-firms-only problem.

  • JOIC's own guidance for SMEs is explicit that it's written for organisations
    • "Who may not have access to extensive planning and legal resources"
  • This obligation was never designed with the assumption that only well-resourced, regulated firms would need to meet it.
  • If your business processes personal data in Jersey customer records, employee data, marketing lists- the DPIA requirement can apply to you regardless of what your regulator (if you have one) asks for.
  • JOIC also makes the practical case directly:
    • Maintaining a data protection risk register lets a business identify and mitigate data protection risks and demonstrate compliance if a regulatory investigation happens.
  • That's the same argument underlying the JFSC's compliance monitoring guidance in Parts 1 and 2:
    • The risk isn't just in what could go wrong; it's in not being able to show you'd already thought about it.

When something goes wrong: breach notification

  • Everything above is about assessing risk before processing begins.
  • The law also covers what happens after something goes wrong.
    • Under Article 20 of the DPJL, a controller must notify JOIC of a personal data breach "without undue delay, within 72 hours of becoming aware of the breach, not after investigation," unless the breach is unlikely to pose a risk to individuals' rights and freedoms.
  • As JOIC's own reporting guidance puts it:
    • "Not every breach needs to be reported to our office (although you should keep a record of them). We only need to know about breaches which constitute 'a risk' to the rights and freedoms of individuals."
  • If the breach is likely to result in a high risk to individuals, the controller must also notify the affected individuals directly, and a log of all breaches, reportable or not, must be kept regardless.
  • This isn't a theoretical obligation.
  • In January 2024, the JFSC's own Data Protection Officer notified JOIC of a personal data breach affecting the JFSC's Companies Registry portal a software flaw,
    • Dating back three years, that had put the "restricted data" of nearly 67,000 individuals at risk.
    • JOIC investigated and ultimately didn't fine the JFSC, citing full cooperation and completed remediation.
  • Worth noting for what comes next in this series: even the regulator's own breach went to JOIC, not to itself.
  • For JFSC-regulated firms specifically,
    • JOIC notification is very often not the only call to make.
    • Part 4 covers what else a breach can trigger.

Where this sits in one structure, not a separate one:

  • RISQED's risk taxonomy already includes the ability for a user to set up records for GDPR-aligned risk categories alongside financial crime, operational, and other registers, so a firm's data protection risk doesn't need its own disconnected spreadsheet.
  • The same probability-and-impact scoring, the same before-and-after-controls structure, and the same named ownership model that Parts 1 and 2 describe for financial crime risk applies here too. Whoever holds the data protection officer role (where one is appointed) is visibly attached to the risks they own, rather than the DPIA living in a folder nobody revisits until the next audit.

The point of this series

  • Isn't that financial crime, data protection, cyber security (Part 4), and sustainability (Part 5) are the same risk. They're not.
  • It's that they all fail the same way when nobody has one place to keep them current, connected, and owned and that a firm that's built that structure for one regulatory obligation doesn't need to rebuild it from scratch for the next one.

Book a demo:

  • yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil   07797 936464 | Mathew   07797 747490

RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.

SOURCES

READ PARTS 2+1 BELOW

No.2 - RISQED - Is Your RISK Framework Built to Address the JFSC Financial Crime Feedback

Introduction+

This is part 2 of 5 in a series on risk management for Jersey-registered persons; it looks at Financial Crime Risk and how RISQED can help:

  • Part 1 of 5 of a RISQED series on risk management for Jersey-registered persons [below this part] provides an overview of how it provides a solution to risk management; later pieces go in depth on financial crime, data protection, cyber, and sustainability.

Financial Crime Risk

  • On 29 June 2026, the JFSC published its 2025 Financial Crime Examination Feedback, five days after quietly revising its Guidance Note on Compliance Monitoring for the first time since 2013.
  • Read together, the message is consistent:
    • Firms can usually point to the individual pieces of a financial crime framework, but struggle to show the pieces are connected, current, and owned.
  • That's the gap RISQED is built to close, not by replacing judgement, but by giving the business risk assessment (BRA), the controls that mitigate it, and the people accountable for it, a single structure to live in.

The BRA needs a methodology, not a moment in time

  • The JFSC found BRAs:
    • Hadn't been reviewed as the business changed,
    • That omitted risks the Handbook requires (proliferation financing came up repeatedly), and
    • That recorded a risk without recording what mitigated it or how risks compounded together.
  • Tellingly, the revised Compliance Monitoring Guidance names the enterprise-wide risk assessment (EWRA) specifically as the risk assessment type "required under AML/CFT/CPF regulations to identify and mitigate financial crime risks at an organisational level";
    • This isn't a rebrand of the BRA,
    • It's the JFSC being explicit about what a firm-wide financial crime risk assessment needs to achieve.
  • RISQED is built as a BRA methodology first, rather than a template that goes stale the day it's signed off; RISQED will
    • Provide a consistent structure for identifying inherent risk and the risk owners,
    • Document (and link) the controls that mitigate it
    • Allow you to revisit both through your integrated CMP and as the business or its environment changes,

Control effectiveness is where "adequate" becomes evidenced.

  • The JFSC doesn't prescribe a specific scoring model for control effectiveness; it never has. What its revised Compliance Monitoring Guidance does require is that
    • Firms can show controls are "operating as intended" and
    • That testing surfaces the "strengths and weaknesses across the control framework."
  • Where firms fell short in the 2025 examinations,
    • It was rarely that they'd misidentified a risk.
    • It was that their policies didn't explain how to apply the control.
    • Their compliance monitoring plan (CMP) couldn't evidence the control had been tested.

RISQED scores risk on probability and impact   

  • The same two factors the JFSC uses in its own risk-based supervision approach, starting from the gross position, adjusting for the controls and treatment applied, and then moving again once CMP testing confirms whether those controls are actually working.
  • A test result doesn't just get filed; it visibly moves the risk position it relates to.
  • We haven't built this because the JFSC mandated a formula; it hasn't. We built it to meet guidance proportionately and defensibly for every firm, at a price point designed for firms replacing spreadsheets, not for those budgeting for enterprise GRC builds.

Risk owners need to be named, not implied

  • The JFSC's MLCO/MLRO findings weren't about competence; they were about visibility.
  • Conflicts of interest that existed but weren't logged. Resourcing gaps nobody had formally assessed. Board reporting that happened but was never documented so that oversight couldn't be evidenced after the fact.

RISQED addresses this structurally:

  • Risks in the platform sit against clear ownership: who's responsible, accountable, consulted, and informed, so your MLCO and MLRO aren't just named somewhere in a P&P; they're visibly attached to the risks they own, with conflicts, resourcing, and reporting sitting alongside them.

The pattern the JFSC keeps describing is

  • A financial crime framework in which the BRA, the controls, and the people responsible for both aren't visibly connected.
  • RISQED's job is to make that connection structural, rather than something you reconstruct manually when an examiner asks for it.
  • We'll go deeper on DATA PROTECTION AND SUSTAINABILITY in the updates that follow this update.

Book a demo:

  • yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil   07797 936464 | Mathew   07797 747490

RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.

Part 2 (sources):

READ PART 1 BELOW

Part 1: RISQED - One Methodology for Every Risk (JFSC's Summer 2026 Guidance)

Introduction

  • This Part 1 of 5 of a RISQED series on risk management for Jersey-registered persons
  • This Part 1 provides an overview of how it provides a solution to risk management; later pieces look at financial crime, data protection, and sustainability risks and how RISQED helps.

ALL RISKS

Between 4 and 29 June 2026, the JFSC did two things worth reading together.

  • It revised its Guidance Note on Compliance Monitoring for the first time since 2013, and
  • It published its 2025 Financial Crime Examination Feedback.

Please read them separately; they look like two documents on the same topic. Read together, the pattern is broader than financial crime:

  • Firms can usually point to the individual pieces of a risk framework, but struggle to show the pieces are connected, current, and owned, whichever risk you're looking at.

That's not a financial crime-specific problem, and the Codes of Practice for registered persons, not just Schedule 2 persons, say so directly.

  • Principle 3 requires a registered person to
    • "Organise and control its affairs effectively... and
    • Be able to demonstrate the existence of adequate risk management systems."
  • The Code is explicit about scope: in this context,
    • "Risk" refers to all the risks a registered person faces, or may face, "as a business enterprise"   not a named subset of them.
  • The Code mentions Cyber risks, and this year the JFSC has issued documents that address other risks; two prominent ones include
    • Financial crime
    • Sustainability risks
  • What is important is that these are not the only Risks Principle 3 covers.

Why one methodology, not four

  • The instinct, when a new risk category demands attention, is to build a new spreadsheet for it.
  • That's how firms end up with a financial crime risk register, a separate data protection tracker, a sustainability questionnaire from last year's consultation, and no single view of where any of them stand relative to each other or to the board.

RISQED is built the other way round:

  • one methodology: probability and impact scored from gross risk, through the controls and treatment applied to a residual position once compliance monitoring plan (CMP) testing confirms whether those controls are actually working, applied consistently across risk categories, with named ownership (who's responsible, accountable, consulted, informed) attached to each one.
  • The same structure that answers a financial crime finding answers a data protection or sustainability finding, because it's the same underlying question every time: what's the risk, what's mitigating it, has that mitigation been tested, and who owns it.

A quick tour of Risks that the JFSC talk about (sources below)

  • Financial crime.
    • The JFSC's 2025 examinations found BRAs that hadn't kept pace with the business, risk appetites that weren't consistently applied, and MLCO/MLRO conflicts and oversight gaps that weren't documented.
    • We go deep on this in the next piece in this series.
  • Data protection.
    • This one isn't a direct JFSC obligation at all (albeit it is a regulated firm risk), which is exactly the point; it applies whether or not you're JFSC-regulated.
    • Under Article 16 of the Data Protection (Jersey) Law 2018, any organisation carrying out processing likely to result in high risk to individuals' rights and freedoms must complete a Data Protection Impact Assessment before that processing begins.
    • The JFSC's own guidance even acknowledges the overlap, noting that a firm's CMP "may also extend beyond the financial services and countering financial crime legislation to include areas such as... data protection laws."
  • Sustainability and climate risk.
    • The JFSC's Guidance Note on Sustainable Finance sets a baseline under two principles:
      • Principle 3, assessing and managing climate-related risk, and
      • Principle 7, ensuring sustainability-related claims are fair, clear, and not misleading.
    • Its baseline good practice is proportionate by design: assess climate risk as part of ordinary risk management, document it proportionately, and escalate to the board, which can conclude risk is immaterial and take no further action beyond periodic review.
    • Climate risk is meant to sit inside existing risk registers and categories, not stand apart from them.
  • Cyber security.
    • Also anchored in JFSC cyber web pages and Principle 3 of the codes are the following statements:
      • The Codes require a documented policy to identify assets and risks, protect them, detect incidents, respond, and recover.
      • All financial services businesses are exposed to cyber risks. They need to be aware of the threats and defend themselves effectively if a cyber event occurs.
  • There are many more.....

Four do go into one.

  • Four categories, four different regulatory sources, one requirement running underneath all of them: a documented, proportionate, board-visible view of the risk, the controls, and who's accountable for both.
  • RISQED's job is to be that one structure, not four separate tools, each answering a different examiner's question.
  • We'll go deeper on financial crime, data protection, and sustainability in the pieces that follow this update.

Book a demo:

  • yes@comsuregroup.com [Comsure is the distributor of RISQED] | Sunil   07797 936464 | Mathew   07797 747490

RISQED is BETA, in active development, and now being used. If you're evaluating it against a specific regulatory requirement, we're happy to walk through exactly how it maps to your framework.

For Part 1 (sources):

MLCO RISQED JFSC DATA PROTECTION BRA JERSEY

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.