25 May 2018 – a date which is imprinted on many people’s memories, as the EU’s General Data Protection Regulation (GDPR) was enforced from this date. Guernsey had of course been busy in the previous two years producing its equivalent legislation, which came into force on the same day. Move the dial forward a year and the impending end of the “transition period” has prompted a fresh wave of work to ensure any items left in abeyance from May 2018 are addressed.

The past twelve months has seen privacy and data protection skyrocket in terms of coverage and awareness. The hottest topics in our digital age, not a day goes by without significant developments occurring somewhere in the world. Privacy is at the forefront of public awareness and a major area of focus for legislative bodies across the world. Once Apple starts making adverts about privacy, you know it is important…

Whilst there was some scepticism as to whether the GDPR standard could extend its tentacles beyond Europe, a significant number of jurisdictions have since reformed their laws, established or overhauled existing regulatory bodies and pushed businesses to take the issue seriously. Regardless of whether this is motivated by economic factors (fear of missing out on technology and trading advantages that the free flow of data provides) or concern for human rights, the momentum is irreversible.

New technologies mean that regulators are constantly playing “catch up”, but there is a clear move towards transparency, choice and “trust”. Market forces are dictating that those who safeguard our data will see more of our business, particularly in the online marketplace.

Take the Facebook/Cambridge Analytica scandal; the fallout prompted the UK Government to commission an investigation into the use of data in political campaigning. We have subsequently seen prosecutions, demands for reform and a global recognition that data misuse is a major concern.

The bewildering, overarching impact of data protection on all areas of our lives means that it is also difficult for businesses to keep up. This does not mean that the basics cannot be done well; indeed building a solid foundation is essential. Finding the time and resource to keep pace with opportunity and change is tough – the Information Commissioner’s Office itself recently commenced a consultation with “Adtech” businesses in order to better understand the issues arising and current practices. The amount of processing taking place “behind the scenes” in order to generate a relevant “pop up” advert on your device’s screen is fascinating, but (at present) fairly opaque.

This state of flux is reflected in the development of the local marketplace. Initially, the focus was on ensuring that the customers’ data was protected and the business’ infrastructure was reviewed and policies updated. Since then, the focus has turned towards the supply chain – what measures of protection are in place when dealing with outsourced service providers, suppliers and other third parties? One only has to mention “Target” to remind people of the importance of ensuring that your own security measures are only effective if mirrored by suppliers. We have been working with clients to update and overhaul existing contractual arrangements to ensure supply chain measures are robust.

Cyber security concerns are endemic, and rightly so. However, there are many simple steps that businesses can take to ensure a basic level of security and mitigate the risks to a manageable level. As Guernsey’s Data Protection Authority noted in its recent newsletter, most of the data breach issues they are seeing arise from human error. These include using incorrect email addresses, sending the wrong attachment and failing to “blind copy” addressees to emails. These are essentially issues of awareness and training. Phishing emails continue to be a big threat, and there are of course nation states out there employing factories of hackers to try to breach our collective defences, but it is often these basic errors that are the most costly.

We have also seen a rise in the number of Data Subject Access Requests (DSARs). There is a measure of trepidation around handling one correctly, given their novelty for some businesses. There are many misconceptions around DSARs which persist, despite case law to the contrary (you are not automatically entitled to a copy of every document on file, for example). It is important to establish a process and take advice (if needed) on your approach to responding to DSARs, as it is easier to apply good practice (and eliminate errors) and embed it if the approach is correct at the outset. It remains to be seen whether DSARs will remain “popular”, but we are increasingly seeing them used as a tool by disgruntled employees, so expect more on that front!

The next few months will be interesting, with transition coming to an end and the Irish Data Protection Commissioner confirming that there will be some announcements over the summer in relation to their investigations into Facebook (and others). A lot has happened in the past twelve months, there is similarly a lot on the horizon for the next twelve months – watch this space!

Twitter LinkedIn Email Save as PDF
More Publications
2 Apr 2020 |

Putting the Green into Greenback

“The point is, ladies and gentleman, that greed, for lack of a better word, is good.” Gordon Gek...

20 Mar 2020 |

The Future, Now...?

“Is this the real life, is this just fantasy? Caught in a landslide, no escape from reality” ...

19 Mar 2020 |

Changes to Guernsey’s Corporate Insolvency Law and the Winding Up of Foreign Companies

January 2020 saw the States of Guernsey pass of the Companies (Guernsey) Law, 2008 (Insolvency) (Ame...

Contributors: Andrew Murphy
13 Mar 2020 |

Appleby contributes five chapters to Global Legal Insights – Fund Finance 2020

Appleby provided five chapters to the Global Legal Insights - Fund Finance 2020 Guide. The publicati...

28 Feb 2020 |

Climate Change for Investors

Innovation is a multi-faceted concept; it might involve wholesale technical change, utilising cuttin...

Contributors: Paula Fry
17 Feb 2020 |

Reflections on The "Combatting and Investigating Financial Crime" Seminar

Appleby recently hosted a breakfast seminar on practical experiences of combatting and investigating...

4 Feb 2020 |

Question(ing) Time

2020 - a new year, combined with a new decade. For some, it brings a newfound (and likely short-live...

31 Jan 2020 |

Brexit Day has arrived: What does that mean for Jersey, Guernsey and the Isle of Man?

Brexit Day has arrived, and at 11 o’clock this evening the UK’s EU membership will come to an en...

19 Dec 2019 |

Substance Matters

In 2017, the EU Code of Conduct Group (the Group) reviewed the tax policies of various non-EU countr...

Contributors: Jennifer Rosser
11 Dec 2019 |

Channel Islands: Year in Review

2019 has been an interesting year for the Channel Islands, to say the least. Global macro-economic ...

Contributors: Jeremy Berchem