Martin Jones and Adam Cole, of Ferbrache & Farrell LLP, consider the recent proposed amendments to the Bailiwick’s Data Protection Law and their impact on local businesses.
On 13 March 2017, Guernsey's Committee for Home Affairs submitted a policy letter covering the Bailiwick’s response to recent EU legislation concerning data protection and seeking decisions about the way forward.
That legislation was published in May 2016, and will replace the existing 1995 Data Protection Directive from May 2018. The legislation consists of two legal instruments, the General Data Protection Regulation (“the GDPR”) and a Directive relating to the processing of personal data for the purposes of the prevention or crime (“the Law Enforcement Directive”).
Guernsey currently has local data protection legislation in the form of the Data Protection (Bailiwick of Guernsey) Law 2001, which gives effect to the 1995 Directive.
Regardless of whether Guernsey implements its own legislation, the GDPR has extra-territorial effect and as such will impact on Guernsey businesses and organisations when it starts being enforced in May 2018.
The policy letter seeks the States' approval for the preparation of legislation aligning Guernsey's data protection legislation with both the GDPR and the Law Enforcement Directive, so as to demonstrate that Guernsey is a jurisdiction that provides adequate levels of protection for personal data.
The current data protection legislation already applies to all data controllers established in the Bailiwick. A “data controller” is a person who (either alone or jointly in common with other persons) determines the purpose and manner for which any personal data is to be processed.
Data controllers may process personal data when various conditions are met, for example the data subject consents or the processing is necessary for the performance of a contract to which the data subject is a party.
A data processor is a person (other than employee of the data controller) who processes the data on behalf of the data controller.
The Policy Letter sets out a number of proposals for the preparation of new local legislation which is consistent with the requirements of the GDPR, such as:
- Strengthening data subjects' rights in relation to both access and use of personal data
- Introducing legal obligations on data processors, for example to notify a breach to the data controller.
- Imposing legal obligations on data controllers to report data breaches to the Supervisory Authority (see below).
- Setting out legal frameworks for international data transfers.
- Imposing a requirement to appoint a Data Protection Officer in certain circumstances.
- Introducing a system of administrative fines which may be imposed for breaches of the law.
- Creating the "Data Protection Supervisory Authority" to fulfil the role currently held by the Data Protection Commissioner.
As the policy letter states:
"The GDPR represents the biggest global change in data protection in well over a decade and is a regulation that is relevant to every organisation, irrespective of size of sector"
A date for the policy letter to be discussed by the States of Deliberation has yet to be agreed, but that discussion will need to happen soon given the tight timetable. In any event, given the extra-territorial effect of the GDPR, all businesses and organisations in the Bailiwick will need to take steps soon to ensure they are able to comply with it. Implementing those steps is likely to pose a challenge, but more generally, perhaps in a similar way to the growth of the compliance industry, the development of a well regulated, compliant jurisdiction in the context of data protection reform could also present many opportunities.