Introduction

The Data Protection (Bailiwick of Guernsey) Law 2017 (the Law) came into force on 25 May 2018.

Figures published recently show that the reporting of data breaches has increased, with forty five being reported in the two months up to 22 February 2019 alone.

Almost one year on, and with some limited transitional provisions expiring on 25 May 2018, it is therefore an opportune time for businesses to take stock and ensure they are doing they can to comply with the Law.

This briefing note is an updated version of a briefing note first published by this firm in May 2018.

Does the Law Apply to My Business?

The Law applies to any organisation where the personal data being processed is that of a Bailiwick resident and it is processed in the context of offering goods or services to the resident.

Processing means obtaining, recording or holding the information or data.

It is therefore very likely that the Law does apply to your business. What then should your business be doing to ensure compliance?

1. Evaluate and Assess

The first step is to evaluate what personal data the organisation holds, and where, how, why and for how long. Does the organisation share such data with third parties? Does it hold special category data, such as information about physical or mental health? What data does it hold about its employees?

This audit, which should be recorded, will help inform the next steps that the organisation will need to take.  

2. Process According to GDPR Principles

An organisation must process personal data in compliance with the principles of GDPR, as set out in Part II of the Law, such as having a lawful basis for processing that data and only to the extent it is adequate, relevant and limited to what is necessary.

The legal basis on which all personal data is held will need to be reviewed and documented, and processes will need to be introduced to ensure compliance with those principles. For example, it may well be that processing is necessary for the performance of a contract and for the organisation to comply with the law (for example regulatory obligations). However, that is not always the case and, in any event, further thought should be given as to where personal data may be used for other purposes, such as marketing.

3. Third Party Sharing

Where personal data is shared with third parties, for example in an outsourcing arrangement, again, details of how, where and for how long they store such data must be obtained, and contracts will need to be reviewed to ensure they are compliant with the Law. It is important to bear in mind that those third parties may include an organisation’s bank or even the company that is responsible for collecting its shredding bins!

4. Inform Data Subjects

Data subjects must be informed about how their personal data is stored and used. This is typically done in the form of a privacy notice and usually includes, but may not be limited to:

  • The personal data the organisation collects.
  • The purpose for legal basis on which someone’s data is processed.
  • Details of any third-party recipients and countries it is transferred to.
  • How long it will be kept.
  • The recording of consent (if appropriate) and the rights afforded by GDPR.
  • How to Make a Complaint.

5. Policies and Procedures

Various policies and procedures must be put in place or amended. For example, they will need to address:

  • How an organisation will handle a request by someone asking to exercise the rights they have under GDPR. This might be to have their personal data deleted, or if somebody makes a subject access request. Note that an organisation will have one month to comply with a subject access request.
  • How an organisation should respond if there is a data breach. Note that a data breach will need to be reported to the Office of the Data Protection Authority (ODPA) in Guernsey within 72 hours.

6. Data Protection Responsibility

Thought will need to be given as to who will be responsible for data protection in the organisation. In some cases, such as where large-scale processing of special categories of data is carried out, it is a requirement that a Data Protection Officer (DPO) is appointed who will, amongst other things, be responsible for monitoring the organisation’s compliance with the Law. Even if a DPO is not appointed, someone at board level should be tasked with that responsibility, and for updating the board about data protection in general.

7. Staff Training

In any event, regardless of whether an organisation is obliged to appoint a DPO, it must ensure that it has sufficient skills and staff to discharge its obligations under the Law. Linked to that, it is vital that staff have sufficient training so that they are aware of and understand those obligations and what they are required to do by reference to an organisation’s policies and procedures.

8. Data Protection Impact Assessment

An organisation may need to carry out a data protection impact assessment (DPIA) if and when a new data processing system or technology is introduced. A DPIA helps organisations identify, assess and mitigate or minimise privacy risks with such activities.

9. Office & IT Security

From a practical point of view, an organisation should review its office and IT security, with a view to taking all the steps that it can to improve that security to minimise the risk of a data breach. If the organisation does not already have one, it would be a good idea to have a relevant policy so that staff can be informed and they know what to do in the event an issue arises.

Here to Help

Although ensuring compliance with the Law may seem daunting, even for a small organisation, it is likely to mean a significant shift in the way we all think about and handle personal data. That shift will doubtless present both challenges and opportunities but, in short, embracing data protection as a fundamental part of an organisation’s culture is bound, in the long run, to pay dividends.

Ferbrache & Farrell LLP can help any business on its journey to becoming compliant with the Law by advising on the legal issues that it may need to address, and by reviewing existing contracts, policies and procedures and drafting any other related documents that may be required.

Author Martin Jones Advocate, Partner & Head of Dispute Resolution