The Amendment Regulations came into force on 25 May 2019 and amend The Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 (the 2018 Regulations).  You’ll recall that the 2018 Regulations provided additional detail to the broad framework in the Law. Set out below is a summary of the main changes brought about by the Amendment Regulations.

Registration

The 2018 Regulations required all controllers and processors to register with the Data Protection Authority (the Authority) and to pay £50 in respect of such registration applications. There were certain limited exemptions to this requirement which were set out in regulations 2(2) and 17 of the 2018 Regulations. These exemptions were due to cease having effect on 25 May 2019.

The Amendment Regulations have extended the transitional period for registration to 1 January 2020 and extended the application of the exemptions referred to above (including exemption from paying the fee) to the same date. Whilst the extension of the exemptions will be welcomed in some quarters, the majority of controllers and processors remain under an obligation to register (and pay the fee).

Information required to register

Under the 2018 Regulations, a substantial amount of information had to be provided as part of the registration application. The Amendment Regulations have significantly reduced the information required to the following:

  • name, principal business address and contact details of the applicant;
  • whether the applicant has nominated a representative (and the name, principal business address and contact details of the representative);
  • whether the applicant is a controller or processor (or both) in respect of the personal data being or to be processed;
  • –        contact details of any data protection officer (DPO) appointed in respect of the applicant; and
  • any other information required by the Authority in connection with the application.

The Amendment Regulations have also reduced the information required in the event that a controller or processor notifies the Authority of any changes to its registered particulars.

These changes reduce the amount of information required to register and importantly, doesn’t require disclosure of any general description of security measures, which had caused some concern within industry. That said, don’t forget the “transparency principle”, which requires that information as to what steps are being taken in respect of data is made available to individuals or published (in privacy notices, for example).

You may not have to complete a lengthy form to register, but you should nevertheless still be communicating the information to individuals.

Public register

Regulation 4 of the 2018 Regulations required the Authority to maintain and publish a register of particulars of each controller and processor.  The Amendment Regulations remove the requirement for the Authority to publish the register. As such, it will not be publicly available.

Whilst there has been some concern as to whether such a step is “transparent”, one should bear in mind that GDPR contains no registration requirement, such that individuals are entirely reliant on the information presented to them by organisations to whom they send their data. Whilst we retain a registration requirement, we are in no worse a position that those in the EU. In that regard, the information the Law requires businesses to present to individuals in terms of what will happen to their data remains paramount. The change also means that the Authority will be collecting far fewer data sets, which will free resources to focus on broader compliance issues.

Requirement to pay annual levies

Controllers and processors were required under the 2018 Regulations to pay an annual levy for each year that they were registered with the Authority and if they failed to do so, were liable to pay a penalty for late payment. Regulation 6(4) of the 2018 Regulations set out certain exemptions as to payment of the levy/penalty, which were due to cease on 25 May 2019. The Amendment Regulations have extended the application of these exemptions to 1 January 2020.

Insurance businesses

The 2018 Regulations set out circumstances in which insurers were able to process health data of certain individuals (other than the insured), without their consent. The Amendment Regulations have provided clarity as to the circumstances in which insurance businesses can process health or criminal data.

The most important change is that processing can be undertaken where necessary for a purpose that is “in the public interest” and it related to the carrying on of an insurance business. In practical terms, this enables insurance businesses to process special category data for the purposes of investigating claims, which has the benefit of reducing fraudulent claims and the like. This has proved a tricky area to address, and there may be further changes in respect of insurance business in due course.

Summary

The changes brought in by the Amendment Regulations are to be welcomed, providing additional time for compliance in some areas and highlighting registration as a core area of focus in the months to come. It also provides some welcome clarity around processing undertaken by insurance businesses, which is consistent with the position adopted in the UK and Jersey.

Whilst there are some changes around registrable particulars, they remain consistent with the broad transparency requirements of the Law. In a time when there are almost weekly developments in this area, being flexible and adapting to developments in a maturing area of the law is of great benefit, even if the “anniversary present” means more work!

Share
Twitter LinkedIn Email Save as PDF
More Publications
2 Apr 2020 |

Putting the Green into Greenback

“The point is, ladies and gentleman, that greed, for lack of a better word, is good.” Gordon Gek...

20 Mar 2020 |

The Future, Now...?

“Is this the real life, is this just fantasy? Caught in a landslide, no escape from reality” ...

19 Mar 2020 |

Changes to Guernsey’s Corporate Insolvency Law and the Winding Up of Foreign Companies

January 2020 saw the States of Guernsey pass of the Companies (Guernsey) Law, 2008 (Insolvency) (Ame...

Contributors: Andrew Murphy
13 Mar 2020 |

Appleby contributes five chapters to Global Legal Insights – Fund Finance 2020

Appleby provided five chapters to the Global Legal Insights - Fund Finance 2020 Guide. The publicati...

28 Feb 2020 |

Climate Change for Investors

Innovation is a multi-faceted concept; it might involve wholesale technical change, utilising cuttin...

Contributors: Paula Fry
17 Feb 2020 |

Reflections on The "Combatting and Investigating Financial Crime" Seminar

Appleby recently hosted a breakfast seminar on practical experiences of combatting and investigating...

4 Feb 2020 |

Question(ing) Time

2020 - a new year, combined with a new decade. For some, it brings a newfound (and likely short-live...

31 Jan 2020 |

Brexit Day has arrived: What does that mean for Jersey, Guernsey and the Isle of Man?

Brexit Day has arrived, and at 11 o’clock this evening the UK’s EU membership will come to an en...

19 Dec 2019 |

Substance Matters

In 2017, the EU Code of Conduct Group (the Group) reviewed the tax policies of various non-EU countr...

Contributors: Jennifer Rosser
11 Dec 2019 |

Channel Islands: Year in Review

2019 has been an interesting year for the Channel Islands, to say the least. Global macro-economic ...

Contributors: Jeremy Berchem