25 May 2018 – a date which is imprinted on many people’s memories, as the EU’s General Data Protection Regulation (GDPR) was enforced from this date. Guernsey had of course been busy in the previous two years producing its equivalent legislation, which came into force on the same day. Move the dial forward a year and the impending end of the “transition period” has prompted a fresh wave of work to ensure any items left in abeyance from May 2018 are addressed.

The past twelve months has seen privacy and data protection skyrocket in terms of coverage and awareness. The hottest topics in our digital age, not a day goes by without significant developments occurring somewhere in the world. Privacy is at the forefront of public awareness and a major area of focus for legislative bodies across the world. Once Apple starts making adverts about privacy, you know it is important…

Whilst there was some scepticism as to whether the GDPR standard could extend its tentacles beyond Europe, a significant number of jurisdictions have since reformed their laws, established or overhauled existing regulatory bodies and pushed businesses to take the issue seriously. Regardless of whether this is motivated by economic factors (fear of missing out on technology and trading advantages that the free flow of data provides) or concern for human rights, the momentum is irreversible.

New technologies mean that regulators are constantly playing “catch up”, but there is a clear move towards transparency, choice and “trust”. Market forces are dictating that those who safeguard our data will see more of our business, particularly in the online marketplace.

Take the Facebook/Cambridge Analytica scandal; the fallout prompted the UK Government to commission an investigation into the use of data in political campaigning. We have subsequently seen prosecutions, demands for reform and a global recognition that data misuse is a major concern.

The bewildering, overarching impact of data protection on all areas of our lives means that it is also difficult for businesses to keep up. This does not mean that the basics cannot be done well; indeed building a solid foundation is essential. Finding the time and resource to keep pace with opportunity and change is tough – the Information Commissioner’s Office itself recently commenced a consultation with “Adtech” businesses in order to better understand the issues arising and current practices. The amount of processing taking place “behind the scenes” in order to generate a relevant “pop up” advert on your device’s screen is fascinating, but (at present) fairly opaque.

This state of flux is reflected in the development of the local marketplace. Initially, the focus was on ensuring that the customers’ data was protected and the business’ infrastructure was reviewed and policies updated. Since then, the focus has turned towards the supply chain – what measures of protection are in place when dealing with outsourced service providers, suppliers and other third parties? One only has to mention “Target” to remind people of the importance of ensuring that your own security measures are only effective if mirrored by suppliers. We have been working with clients to update and overhaul existing contractual arrangements to ensure supply chain measures are robust.

Cyber security concerns are endemic, and rightly so. However, there are many simple steps that businesses can take to ensure a basic level of security and mitigate the risks to a manageable level. As Guernsey’s Data Protection Authority noted in its recent newsletter, most of the data breach issues they are seeing arise from human error. These include using incorrect email addresses, sending the wrong attachment and failing to “blind copy” addressees to emails. These are essentially issues of awareness and training. Phishing emails continue to be a big threat, and there are of course nation states out there employing factories of hackers to try to breach our collective defences, but it is often these basic errors that are the most costly.

We have also seen a rise in the number of Data Subject Access Requests (DSARs). There is a measure of trepidation around handling one correctly, given their novelty for some businesses. There are many misconceptions around DSARs which persist, despite case law to the contrary (you are not automatically entitled to a copy of every document on file, for example). It is important to establish a process and take advice (if needed) on your approach to responding to DSARs, as it is easier to apply good practice (and eliminate errors) and embed it if the approach is correct at the outset. It remains to be seen whether DSARs will remain “popular”, but we are increasingly seeing them used as a tool by disgruntled employees, so expect more on that front!

The next few months will be interesting, with transition coming to an end and the Irish Data Protection Commissioner confirming that there will be some announcements over the summer in relation to their investigations into Facebook (and others). A lot has happened in the past twelve months, there is similarly a lot on the horizon for the next twelve months – watch this space!

Share
Twitter LinkedIn Email Save as PDF
More Publications
7 Jun 2022

New Regulations and Requirements for Local Charities

The Charities etc. (Guernsey and Alderney) Ordinance, 2021 (Ordinance) and the raft of regulations t...

Contributors: Lisa Upham
20 May 2022

Lasting Powers of Attorney

The long-awaited Capacity (Lasting Powers of Attorney) (Bailiwick of Guernsey) Ordinance, 2022 (LPA ...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

7 Dec 2021

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...

4 May 2021

New Private Investment Funds in Guernsey

In December 2020, the Guernsey Financial Services Commission (Commission) published a consultation p...

16 Mar 2021

Guernsey Structures - The Cannabis Investment Conundrum

Jurisdictions around the world have adopted different positions in relation to the legality of the c...