25 May 2018 – a date which is imprinted on many people’s memories, as the EU’s General Data Protection Regulation (GDPR) was enforced from this date. Guernsey had of course been busy in the previous two years producing its equivalent legislation, which came into force on the same day. Move the dial forward a year and the impending end of the “transition period” has prompted a fresh wave of work to ensure any items left in abeyance from May 2018 are addressed.

The past twelve months has seen privacy and data protection skyrocket in terms of coverage and awareness. The hottest topics in our digital age, not a day goes by without significant developments occurring somewhere in the world. Privacy is at the forefront of public awareness and a major area of focus for legislative bodies across the world. Once Apple starts making adverts about privacy, you know it is important…

Whilst there was some scepticism as to whether the GDPR standard could extend its tentacles beyond Europe, a significant number of jurisdictions have since reformed their laws, established or overhauled existing regulatory bodies and pushed businesses to take the issue seriously. Regardless of whether this is motivated by economic factors (fear of missing out on technology and trading advantages that the free flow of data provides) or concern for human rights, the momentum is irreversible.

New technologies mean that regulators are constantly playing “catch up”, but there is a clear move towards transparency, choice and “trust”. Market forces are dictating that those who safeguard our data will see more of our business, particularly in the online marketplace.

Take the Facebook/Cambridge Analytica scandal; the fallout prompted the UK Government to commission an investigation into the use of data in political campaigning. We have subsequently seen prosecutions, demands for reform and a global recognition that data misuse is a major concern.

The bewildering, overarching impact of data protection on all areas of our lives means that it is also difficult for businesses to keep up. This does not mean that the basics cannot be done well; indeed building a solid foundation is essential. Finding the time and resource to keep pace with opportunity and change is tough – the Information Commissioner’s Office itself recently commenced a consultation with “Adtech” businesses in order to better understand the issues arising and current practices. The amount of processing taking place “behind the scenes” in order to generate a relevant “pop up” advert on your device’s screen is fascinating, but (at present) fairly opaque.

This state of flux is reflected in the development of the local marketplace. Initially, the focus was on ensuring that the customers’ data was protected and the business’ infrastructure was reviewed and policies updated. Since then, the focus has turned towards the supply chain – what measures of protection are in place when dealing with outsourced service providers, suppliers and other third parties? One only has to mention “Target” to remind people of the importance of ensuring that your own security measures are only effective if mirrored by suppliers. We have been working with clients to update and overhaul existing contractual arrangements to ensure supply chain measures are robust.

Cyber security concerns are endemic, and rightly so. However, there are many simple steps that businesses can take to ensure a basic level of security and mitigate the risks to a manageable level. As Guernsey’s Data Protection Authority noted in its recent newsletter, most of the data breach issues they are seeing arise from human error. These include using incorrect email addresses, sending the wrong attachment and failing to “blind copy” addressees to emails. These are essentially issues of awareness and training. Phishing emails continue to be a big threat, and there are of course nation states out there employing factories of hackers to try to breach our collective defences, but it is often these basic errors that are the most costly.

We have also seen a rise in the number of Data Subject Access Requests (DSARs). There is a measure of trepidation around handling one correctly, given their novelty for some businesses. There are many misconceptions around DSARs which persist, despite case law to the contrary (you are not automatically entitled to a copy of every document on file, for example). It is important to establish a process and take advice (if needed) on your approach to responding to DSARs, as it is easier to apply good practice (and eliminate errors) and embed it if the approach is correct at the outset. It remains to be seen whether DSARs will remain “popular”, but we are increasingly seeing them used as a tool by disgruntled employees, so expect more on that front!

The next few months will be interesting, with transition coming to an end and the Irish Data Protection Commissioner confirming that there will be some announcements over the summer in relation to their investigations into Facebook (and others). A lot has happened in the past twelve months, there is similarly a lot on the horizon for the next twelve months – watch this space!

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021 |

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...

4 May 2021 |

New Private Investment Funds in Guernsey

In December 2020, the Guernsey Financial Services Commission (Commission) published a consultation p...

Contributors: Oratile Jonas
16 Mar 2021 |

Guernsey Structures - The Cannabis Investment Conundrum

Jurisdictions around the world have adopted different positions in relation to the legality of the c...

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

23 Feb 2021 |

Fit and Proper in the Channel Islands – A Regulatory Enforcement Update

It is sometimes easy to forget with all that has happened over the last 12 months that there was a w...

27 Jan 2021 |

Levies, registration and all that jazz

Regulatory markets evolve at various speeds and the data protection regime is one example of a marke...

6 Jan 2021 |

Executors navigating the “perfect (company) storm”

Corporate governance has become one of the most hotly debated topics in recent years. Whether it be ...

Contributors: Paula Fry