The Amendment Regulations came into force on 25 May 2019 and amend The Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (the 2018 Regulations).  You’ll recall that the 2018 Regulations provided additional detail to the broad framework in the Law. Set out below is a summary of the main changes brought about by the Amendment Regulations.


The 2018 Regulations required all controllers and processors to register with the Data Protection Authority (the Authority) and to pay £50 in respect of such registration applications. There were certain limited exemptions to this requirement which were set out in regulations 2(2) and 17 of the 2018 Regulations. These exemptions were due to cease having effect on 25 May 2019.

The Amendment Regulations have extended the transitional period for registration to 1 January 2020 and extended the application of the exemptions referred to above (including exemption from paying the fee) to the same date. Whilst the extension of the exemptions will be welcomed in some quarters, the majority of controllers and processors remain under an obligation to register (and pay the fee).

Information required to register

Under the 2018 Regulations, a substantial amount of information had to be provided as part of the registration application. The Amendment Regulations have significantly reduced the information required to the following:

  • name, principal business address and contact details of the applicant;
  • whether the applicant has nominated a representative (and the name, principal business address and contact details of the representative);
  • whether the applicant is a controller or processor (or both) in respect of the personal data being or to be processed;
  • –        contact details of any data protection officer (DPO) appointed in respect of the applicant; and
  • any other information required by the Authority in connection with the application.

The Amendment Regulations have also reduced the information required in the event that a controller or processor notifies the Authority of any changes to its registered particulars.

These changes reduce the amount of information required to register and importantly, doesn’t require disclosure of any general description of security measures, which had caused some concern within industry. That said, don’t forget the “transparency principle”, which requires that information as to what steps are being taken in respect of data is made available to individuals or published (in privacy notices, for example).

You may not have to complete a lengthy form to register, but you should nevertheless still be communicating the information to individuals.

Public register

Regulation 4 of the 2018 Regulations required the Authority to maintain and publish a register of particulars of each controller and processor.  The Amendment Regulations remove the requirement for the Authority to publish the register. As such, it will not be publicly available.

Whilst there has been some concern as to whether such a step is “transparent”, one should bear in mind that GDPR contains no registration requirement, such that individuals are entirely reliant on the information presented to them by organisations to whom they send their data. Whilst we retain a registration requirement, we are in no worse a position that those in the EU. In that regard, the information the Law requires businesses to present to individuals in terms of what will happen to their data remains paramount. The change also means that the Authority will be collecting far fewer data sets, which will free resources to focus on broader compliance issues.

Requirement to pay annual levies

Controllers and processors were required under the 2018 Regulations to pay an annual levy for each year that they were registered with the Authority and if they failed to do so, were liable to pay a penalty for late payment. Regulation 6(4) of the 2018 Regulations set out certain exemptions as to payment of the levy/penalty, which were due to cease on 25 May 2019. The Amendment Regulations have extended the application of these exemptions to 1 January 2020.

Insurance businesses

The 2018 Regulations set out circumstances in which insurers were able to process health data of certain individuals (other than the insured), without their consent. The Amendment Regulations have provided clarity as to the circumstances in which insurance businesses can process health or criminal data.

The most important change is that processing can be undertaken where necessary for a purpose that is “in the public interest” and it related to the carrying on of an insurance business. In practical terms, this enables insurance businesses to process special category data for the purposes of investigating claims, which has the benefit of reducing fraudulent claims and the like. This has proved a tricky area to address, and there may be further changes in respect of insurance business in due course.


The changes brought in by the Amendment Regulations are to be welcomed, providing additional time for compliance in some areas and highlighting registration as a core area of focus in the months to come. It also provides some welcome clarity around processing undertaken by insurance businesses, which is consistent with the position adopted in the UK and Jersey.

Whilst there are some changes around registrable particulars, they remain consistent with the broad transparency requirements of the Law. In a time when there are almost weekly developments in this area, being flexible and adapting to developments in a maturing area of the law is of great benefit, even if the “anniversary present” means more work!

Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

7 Sep 2022

ESG Series Part 1: Climate Change – What on Earth is going on?

‘ESG’ has well and truly arrived, and has triggered a new age in business and financial investme...

7 Jun 2022

New Regulations and Requirements for Local Charities

The Charities etc. (Guernsey and Alderney) Ordinance, 2021 (Ordinance) and the raft of regulations t...

Contributors: Lisa Upham
20 May 2022

Lasting Powers of Attorney

The long-awaited Capacity (Lasting Powers of Attorney) (Bailiwick of Guernsey) Ordinance, 2022 (LPA ...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

7 Dec 2021

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...