Roll on ten years and we have Trump as President, the World Cup raising national hopes disproportionately, the financial markets are jittery ahead of Brexit and celebrity culture is pervasive. Ed Sheeran has taken up the musical mantle and there is much anticipation around the release of “Bohemian Rhapsody”. Progress in some areas, regression in others – I’ll leave you to debate which…
One area which has progressed beyond recognition (and for the better) is that of Data Protection. In 2008, the 2001 law was in force in Guernsey, the proliferation of digital data was a fraction of its current levels and businesses were predominantly focused on anti-money laundering (AML) requirements. Whilst data protection was the “poor cousin” of AML in 2008, one of the largest breaches in history (affecting some 130 million customers of Heartland Payment Systems in the USA) nevertheless took place that year. However, this was the exception, rather than the norm. We now see data breach headlines on a daily basis, with the number of those affected and the sophistication of the attacks constantly increasing.
The world is of course a very different place today – the EU’s General Data Protection Regulation (GDPR) became enforceable from May 2018. Guernsey’s equivalent legislation (The Data Protection (Bailiwick of Guernsey) Law, 2018) came into force on the same date. This legislation represents the biggest overhaul of data protection in a generation and lays the foundations for the protection of our most vital assets in the digital age.
Whilst the GDPR is a creature of the EU, it has already had a global impact. A number of countries outside the EU have overhauled (or created) their legislative regimes to seek parity, and businesses are scrutinising their supply chains, dispensing with those who cannot (or will not) meet the grade in terms of data protection. As individuals, our rights are given greater prominence and we are entitled to transparency and accountability as to what happens to our data. This recognition and the accompanying cultural change is vital, if our personal life is to remain just that in today’s digital market. Whilst the threat of large fines drives some level of change, reputational damage can often be more detrimental.
The Cambridge Analytica scandal has opened the public’s eyes to the abuses that can go unchecked and the potential impact data analytics and algorithms can have on our daily lives, usually without us actually knowing about it. That we have been subjected to a degree of manipulation through use of our data is unsurprising; we have been exposed to advertising, political messaging and the like for many years. However, the ability of companies to obtain our data from a variety of sources, combine it with other information and commercialise it to their advantage has never been as prevalent.
At the same time, a dazzling array of innovations has desensitised us to some of the issues which come with those developments. Making bookings for holidays online and arranging our affairs at the swipe of a screen is incredibly efficient, but if it results in us being exposed to identity theft, is it worth the risk?
The monetisation of our data has been a feature of e-commerce for some years. Data is crucial for every business; the more you know about customers, suppliers and competitors, the better you are able to innovate, be efficient, make targeted investments and remain profitable. Opportunities for us to maximise the value in data are still developing.
Guernsey has been safeguarding data for a long time; it is inherent in the nature of much of the financial services industry in the island. We have a good foundation upon which to build. The foresight of the States and industry in spotting the importance of GDPR is paying off; we are recognised within the EU as being ahead of the curve. We have a respected board at the Authority and a renowned Commissioner putting in place a future-proofed regime which will maintain our position in years to come.
It is true to say that GDPR and its local equivalent are still subject to questions of interpretation, but that is in many ways an opportunity for us. We can adapt where necessary, progress initiatives which can be the blueprint for other jurisdictions and yet retain the stable and consistent regulation which attracts business in times of turbulence.
With ePrivacy on the distant horizon, adequacy being reviewed and a host of opportunities in between, I’m hopeful that I’ll be looking back on this after the next decade to see Guernsey as a leading “trusted jurisdiction”, with a larger digital footprint and a skilled workforce which is embracing the digital future which is already upon us. Hopefully it won’t be accompanied by Mamma Mia 3…