On the same day as the GDPR came into effect, the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) came into force in order to align Guernsey’s data protection regime with the GDPR.

Since this time, organisations have continued to deal with the challenges the Law brings. Whilst there was, and still is, much work to do for organisations to ensure compliance with the new regime, there have been many positives for individuals and organisations alike.

Why was change required?

From a technological and data perspective, the world is a very different place today in comparison to when The Data Protection (Bailiwick of Guernsey) Law, 2001 was enacted. The internet was in its infancy and was not widely available to all. It seems so unimaginable today, but at that time, not everyone had a mobile phone. It meant that the way in which data was used and shared was fairly limited.

Fast forward a number of years and the situation is vastly different. We face unprecedented times in relation to cyber security risks posed to both individuals and organisations. The internet is widely accessible and people can organise more or less every aspect of their lives via their mobile phone. This has resulted in a huge increase in the amount of data and a revolution in the way in which it is used and shared. Globally, data protection regimes were not fit for purpose. They simply could not keep up with the digital world.

Whilst Guernsey had been ahead of the curve (in that it has had data protection legislation since 1986), the regime had become outdated and required updating. The focus of the Law was to provide increased data protection for the public and reinforce the obligations on organisations. As a result, the Law brought in a number of changes by introducing:

  • Refined measures on how consent can be obtained and when it could be relied upon.
  • Enhanced rights for individuals around how data is processed and accessed, how data can be rectified, erased or transferred as well as the right to object to processing in certain circumstances.
  • Accountability and governance obligations in addition to notification obligations in the event of a data breach.
  • Requirements in relation to the transfer of personal data between parties and between jurisdictions, with a particular emphasis on data transfers outside of the EU.

Where are we now?

Data and privacy has rarely moved out of the spotlight since the new regime came into force. For organisations it has been a busy time, not least because of the additional items that had to be dealt with during the “transitional period” which has recently ended.

Whilst the new regime in Guernsey may have brought some challenges with it and will continue to do so for some time, it has also served to bring a number of positives.

The new regime has allowed individuals to realise the potential of their data but this is also true for organisations – data can be an invaluable asset. The Law meant organisations had to get to grips with the data they held and whilst this may have been viewed as a burdensome task at the outset, the benefits of good quality data sets will be evident from a decision making, productivity, compliance and marketing perspective.

We have also seen a move towards transparency and trust which will help organisations retain their existing customer base as well as attracting new customers as consumer confidence continues to grow in an increasingly digital marketplace. Trust is key in the online world. In addition, having a strong GDPR-compliant framework which extends and modifies cyber security practices will assist in combating the very real threat of a cyber attack.

Increasingly, organisations are bringing ethics into their data protection practices, moving compliance on from simply complying with the law.

The next chapter

The Office of the Data Protection Authority (the Authority) has recently published its strategic plan for 2019-2022 which is designed to implement the Authority’s goal to deliver effective and independent data protection regulation. Similarly, data protection and security should be an integral part of any organisation’s strategic plan.

The Authority has also recently issued its first press release on enforcement action, a reprimand issued to the Policy and Resources Committee of the States of Guernsey for wrongful disclosure of health data of a staff member. Whilst there are other enforcement measures in the pipeline and it has taken some time for this step to be taken, it also demonstrates a pragmatic approach being taken. Engagement is still the primary focus.

Data protection is a topic that will stay top of the agenda for boards for some time to come; compliance certainly cannot be seen as a tick-box exercise that was undertaken in the lead up to the Law coming into effect and not to be looked at again. Ongoing compliance is key to success. Indeed, the UK Information Commissioner’s Office views data protection as “an enabler of growth and innovation” for organisations.

It is without question that further challenges lie ahead and the next few months will be interesting. However, now that the initial hard work and trepidation is over, organisations can continue to build on the changes they have made to date and focus on reaping the benefits that compliance with the new regime can bring.

Richard Field

Partner: Guernsey

T +44 (0)1481 755 610
E Email Richard

Richard Sheldon

Group Partner*: Guernsey, Jersey

T +44 (0)1481 755 904
E Email Richard

Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

7 Sep 2022

ESG Series Part 1: Climate Change – What on Earth is going on?

‘ESG’ has well and truly arrived, and has triggered a new age in business and financial investme...

7 Jun 2022

New Regulations and Requirements for Local Charities

The Charities etc. (Guernsey and Alderney) Ordinance, 2021 (Ordinance) and the raft of regulations t...

Contributors: Lisa Upham
20 May 2022

Lasting Powers of Attorney

The long-awaited Capacity (Lasting Powers of Attorney) (Bailiwick of Guernsey) Ordinance, 2022 (LPA ...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

7 Dec 2021

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...