On the same day as the GDPR came into effect, the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) came into force in order to align Guernsey’s data protection regime with the GDPR.

Since this time, organisations have continued to deal with the challenges the Law brings. Whilst there was, and still is, much work to do for organisations to ensure compliance with the new regime, there have been many positives for individuals and organisations alike.

Why was change required?

From a technological and data perspective, the world is a very different place today in comparison to when The Data Protection (Bailiwick of Guernsey) Law, 2001 was enacted. The internet was in its infancy and was not widely available to all. It seems so unimaginable today, but at that time, not everyone had a mobile phone. It meant that the way in which data was used and shared was fairly limited.

Fast forward a number of years and the situation is vastly different. We face unprecedented times in relation to cyber security risks posed to both individuals and organisations. The internet is widely accessible and people can organise more or less every aspect of their lives via their mobile phone. This has resulted in a huge increase in the amount of data and a revolution in the way in which it is used and shared. Globally, data protection regimes were not fit for purpose. They simply could not keep up with the digital world.

Whilst Guernsey had been ahead of the curve (in that it has had data protection legislation since 1986), the regime had become outdated and required updating. The focus of the Law was to provide increased data protection for the public and reinforce the obligations on organisations. As a result, the Law brought in a number of changes by introducing:

  • Refined measures on how consent can be obtained and when it could be relied upon.
  • Enhanced rights for individuals around how data is processed and accessed, how data can be rectified, erased or transferred as well as the right to object to processing in certain circumstances.
  • Accountability and governance obligations in addition to notification obligations in the event of a data breach.
  • Requirements in relation to the transfer of personal data between parties and between jurisdictions, with a particular emphasis on data transfers outside of the EU.

Where are we now?

Data and privacy has rarely moved out of the spotlight since the new regime came into force. For organisations it has been a busy time, not least because of the additional items that had to be dealt with during the “transitional period” which has recently ended.

Whilst the new regime in Guernsey may have brought some challenges with it and will continue to do so for some time, it has also served to bring a number of positives.

The new regime has allowed individuals to realise the potential of their data but this is also true for organisations – data can be an invaluable asset. The Law meant organisations had to get to grips with the data they held and whilst this may have been viewed as a burdensome task at the outset, the benefits of good quality data sets will be evident from a decision making, productivity, compliance and marketing perspective.

We have also seen a move towards transparency and trust which will help organisations retain their existing customer base as well as attracting new customers as consumer confidence continues to grow in an increasingly digital marketplace. Trust is key in the online world. In addition, having a strong GDPR-compliant framework which extends and modifies cyber security practices will assist in combating the very real threat of a cyber attack.

Increasingly, organisations are bringing ethics into their data protection practices, moving compliance on from simply complying with the law.

The next chapter

The Office of the Data Protection Authority (the Authority) has recently published its strategic plan for 2019-2022 which is designed to implement the Authority’s goal to deliver effective and independent data protection regulation. Similarly, data protection and security should be an integral part of any organisation’s strategic plan.

The Authority has also recently issued its first press release on enforcement action, a reprimand issued to the Policy and Resources Committee of the States of Guernsey for wrongful disclosure of health data of a staff member. Whilst there are other enforcement measures in the pipeline and it has taken some time for this step to be taken, it also demonstrates a pragmatic approach being taken. Engagement is still the primary focus.

Data protection is a topic that will stay top of the agenda for boards for some time to come; compliance certainly cannot be seen as a tick-box exercise that was undertaken in the lead up to the Law coming into effect and not to be looked at again. Ongoing compliance is key to success. Indeed, the UK Information Commissioner’s Office views data protection as “an enabler of growth and innovation” for organisations.

It is without question that further challenges lie ahead and the next few months will be interesting. However, now that the initial hard work and trepidation is over, organisations can continue to build on the changes they have made to date and focus on reaping the benefits that compliance with the new regime can bring.

Twitter LinkedIn Email Save as PDF

Richard Field

Partner: Guernsey

T +44 (0)1481 755 610
E Email Richard

Richard Sheldon

Group Partner*: Guernsey, Jersey

T +44 (0)1481 755 904
E Email Richard

Jennifer Rosser

Associate*: Guernsey

T +44 (0)1481 755 901
E Email Jennifer

More Publications
2 Apr 2020 |

Putting the Green into Greenback

“The point is, ladies and gentleman, that greed, for lack of a better word, is good.” Gordon Gek...

20 Mar 2020 |

The Future, Now...?

“Is this the real life, is this just fantasy? Caught in a landslide, no escape from reality” ...

19 Mar 2020 |

Changes to Guernsey’s Corporate Insolvency Law and the Winding Up of Foreign Companies

January 2020 saw the States of Guernsey pass of the Companies (Guernsey) Law, 2008 (Insolvency) (Ame...

Contributors: Andrew Murphy
13 Mar 2020 |

Appleby contributes five chapters to Global Legal Insights – Fund Finance 2020

Appleby provided five chapters to the Global Legal Insights - Fund Finance 2020 Guide. The publicati...

28 Feb 2020 |

Climate Change for Investors

Innovation is a multi-faceted concept; it might involve wholesale technical change, utilising cuttin...

Contributors: Paula Fry
17 Feb 2020 |

Reflections on The "Combatting and Investigating Financial Crime" Seminar

Appleby recently hosted a breakfast seminar on practical experiences of combatting and investigating...

4 Feb 2020 |

Question(ing) Time

2020 - a new year, combined with a new decade. For some, it brings a newfound (and likely short-live...

31 Jan 2020 |

Brexit Day has arrived: What does that mean for Jersey, Guernsey and the Isle of Man?

Brexit Day has arrived, and at 11 o’clock this evening the UK’s EU membership will come to an en...

19 Dec 2019 |

Substance Matters

In 2017, the EU Code of Conduct Group (the Group) reviewed the tax policies of various non-EU countr...

Contributors: Jennifer Rosser
11 Dec 2019 |

Channel Islands: Year in Review

2019 has been an interesting year for the Channel Islands, to say the least. Global macro-economic ...

Contributors: Jeremy Berchem