The Amendment Regulations came into force on 25 May 2019 and amend The Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (the 2018 Regulations). You’ll recall that the 2018 Regulations provided additional detail to the broad framework in the Law. Set out below is a summary of the main changes brought about by the Amendment Regulations.
The 2018 Regulations required all controllers and processors to register with the Data Protection Authority (the Authority) and to pay £50 in respect of such registration applications. There were certain limited exemptions to this requirement which were set out in regulations 2(2) and 17 of the 2018 Regulations. These exemptions were due to cease having effect on 25 May 2019.
The Amendment Regulations have extended the transitional period for registration to 1 January 2020 and extended the application of the exemptions referred to above (including exemption from paying the fee) to the same date. Whilst the extension of the exemptions will be welcomed in some quarters, the majority of controllers and processors remain under an obligation to register (and pay the fee).
Information required to register
Under the 2018 Regulations, a substantial amount of information had to be provided as part of the registration application. The Amendment Regulations have significantly reduced the information required to the following:
- name, principal business address and contact details of the applicant;
- whether the applicant has nominated a representative (and the name, principal business address and contact details of the representative);
- whether the applicant is a controller or processor (or both) in respect of the personal data being or to be processed;
- – contact details of any data protection officer (DPO) appointed in respect of the applicant; and
- any other information required by the Authority in connection with the application.
The Amendment Regulations have also reduced the information required in the event that a controller or processor notifies the Authority of any changes to its registered particulars.
These changes reduce the amount of information required to register and importantly, doesn’t require disclosure of any general description of security measures, which had caused some concern within industry. That said, don’t forget the “transparency principle”, which requires that information as to what steps are being taken in respect of data is made available to individuals or published (in privacy notices, for example).
You may not have to complete a lengthy form to register, but you should nevertheless still be communicating the information to individuals.
Regulation 4 of the 2018 Regulations required the Authority to maintain and publish a register of particulars of each controller and processor. The Amendment Regulations remove the requirement for the Authority to publish the register. As such, it will not be publicly available.
Whilst there has been some concern as to whether such a step is “transparent”, one should bear in mind that GDPR contains no registration requirement, such that individuals are entirely reliant on the information presented to them by organisations to whom they send their data. Whilst we retain a registration requirement, we are in no worse a position that those in the EU. In that regard, the information the Law requires businesses to present to individuals in terms of what will happen to their data remains paramount. The change also means that the Authority will be collecting far fewer data sets, which will free resources to focus on broader compliance issues.
Requirement to pay annual levies
Controllers and processors were required under the 2018 Regulations to pay an annual levy for each year that they were registered with the Authority and if they failed to do so, were liable to pay a penalty for late payment. Regulation 6(4) of the 2018 Regulations set out certain exemptions as to payment of the levy/penalty, which were due to cease on 25 May 2019. The Amendment Regulations have extended the application of these exemptions to 1 January 2020.
The 2018 Regulations set out circumstances in which insurers were able to process health data of certain individuals (other than the insured), without their consent. The Amendment Regulations have provided clarity as to the circumstances in which insurance businesses can process health or criminal data.
The most important change is that processing can be undertaken where necessary for a purpose that is “in the public interest” and it related to the carrying on of an insurance business. In practical terms, this enables insurance businesses to process special category data for the purposes of investigating claims, which has the benefit of reducing fraudulent claims and the like. This has proved a tricky area to address, and there may be further changes in respect of insurance business in due course.
The changes brought in by the Amendment Regulations are to be welcomed, providing additional time for compliance in some areas and highlighting registration as a core area of focus in the months to come. It also provides some welcome clarity around processing undertaken by insurance businesses, which is consistent with the position adopted in the UK and Jersey.
Whilst there are some changes around registrable particulars, they remain consistent with the broad transparency requirements of the Law. In a time when there are almost weekly developments in this area, being flexible and adapting to developments in a maturing area of the law is of great benefit, even if the “anniversary present” means more work!