On the same day as the GDPR came into effect, the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) came into force in order to align Guernsey’s data protection regime with the GDPR.

Since this time, organisations have continued to deal with the challenges the Law brings. Whilst there was, and still is, much work to do for organisations to ensure compliance with the new regime, there have been many positives for individuals and organisations alike.

Why was change required?

From a technological and data perspective, the world is a very different place today in comparison to when The Data Protection (Bailiwick of Guernsey) Law, 2001 was enacted. The internet was in its infancy and was not widely available to all. It seems so unimaginable today, but at that time, not everyone had a mobile phone. It meant that the way in which data was used and shared was fairly limited.

Fast forward a number of years and the situation is vastly different. We face unprecedented times in relation to cyber security risks posed to both individuals and organisations. The internet is widely accessible and people can organise more or less every aspect of their lives via their mobile phone. This has resulted in a huge increase in the amount of data and a revolution in the way in which it is used and shared. Globally, data protection regimes were not fit for purpose. They simply could not keep up with the digital world.

Whilst Guernsey had been ahead of the curve (in that it has had data protection legislation since 1986), the regime had become outdated and required updating. The focus of the Law was to provide increased data protection for the public and reinforce the obligations on organisations. As a result, the Law brought in a number of changes by introducing:

  • Refined measures on how consent can be obtained and when it could be relied upon.
  • Enhanced rights for individuals around how data is processed and accessed, how data can be rectified, erased or transferred as well as the right to object to processing in certain circumstances.
  • Accountability and governance obligations in addition to notification obligations in the event of a data breach.
  • Requirements in relation to the transfer of personal data between parties and between jurisdictions, with a particular emphasis on data transfers outside of the EU.

Where are we now?

Data and privacy has rarely moved out of the spotlight since the new regime came into force. For organisations it has been a busy time, not least because of the additional items that had to be dealt with during the “transitional period” which has recently ended.

Whilst the new regime in Guernsey may have brought some challenges with it and will continue to do so for some time, it has also served to bring a number of positives.

The new regime has allowed individuals to realise the potential of their data but this is also true for organisations – data can be an invaluable asset. The Law meant organisations had to get to grips with the data they held and whilst this may have been viewed as a burdensome task at the outset, the benefits of good quality data sets will be evident from a decision making, productivity, compliance and marketing perspective.

We have also seen a move towards transparency and trust which will help organisations retain their existing customer base as well as attracting new customers as consumer confidence continues to grow in an increasingly digital marketplace. Trust is key in the online world. In addition, having a strong GDPR-compliant framework which extends and modifies cyber security practices will assist in combating the very real threat of a cyber attack.

Increasingly, organisations are bringing ethics into their data protection practices, moving compliance on from simply complying with the law.

The next chapter

The Office of the Data Protection Authority (the Authority) has recently published its strategic plan for 2019-2022 which is designed to implement the Authority’s goal to deliver effective and independent data protection regulation. Similarly, data protection and security should be an integral part of any organisation’s strategic plan.

The Authority has also recently issued its first press release on enforcement action, a reprimand issued to the Policy and Resources Committee of the States of Guernsey for wrongful disclosure of health data of a staff member. Whilst there are other enforcement measures in the pipeline and it has taken some time for this step to be taken, it also demonstrates a pragmatic approach being taken. Engagement is still the primary focus.

Data protection is a topic that will stay top of the agenda for boards for some time to come; compliance certainly cannot be seen as a tick-box exercise that was undertaken in the lead up to the Law coming into effect and not to be looked at again. Ongoing compliance is key to success. Indeed, the UK Information Commissioner’s Office views data protection as “an enabler of growth and innovation” for organisations.

It is without question that further challenges lie ahead and the next few months will be interesting. However, now that the initial hard work and trepidation is over, organisations can continue to build on the changes they have made to date and focus on reaping the benefits that compliance with the new regime can bring.

Twitter LinkedIn Email Save as PDF

Richard Field

Partner: Guernsey

T +44 (0)1481 755 610
E Email Richard

Richard Sheldon

Group Partner*: Guernsey, Jersey

T +44 (0)1481 755 904
E Email Richard

Jennifer Rosser

Associate*: Guernsey

T +44 (0)1481 755 901
E Email Jennifer

More Publications
10 Oct 2019 |

What do you mean?

The English language is as fascinating as it is quirky. It can produce surprising results. Contranym...

Contributors: Paula Fry
9 Oct 2019 |

Transparency and the Crown Dependencies

Transparency of beneficial ownership information has been a political issue since June 2013 when Bri...

18 Sep 2019 |

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Offshore listing Vehicles to benefit from the Shanghai - London stock connect

Contributors: Huiyan Liew
22 Jul 2019 |

Catching the Unicorn

The dream investment must surely be the initial funding round of a “tech unicorn” – a technolo...

Contributors: Jeremy Berchem
1 Jul 2019 |

Guernsey Bailiffs Past and Present

It has been confirmed that the Bailiff of Guernsey, Sir Richard Collas, will retire in May 2020 and ...

Contributors: Lisa Upham
28 Jun 2019 |

Internal Investigations - Evidence for the Prosecution

Sophisticated organisations are frequently required to undertake internal investigations. These can ...

Contributors: Anthony Williams
26 Jun 2019 |

Regulatory Headwinds

Faced with increased scrutiny from regulators on both global and jurisdictional levels, businesses m...

Contributors: David Dorgan
19 Jun 2019 |

Beneficial Ownership Update: Crown Dependencies

The Crown Dependencies (Jersey, Guernsey and the Isle of Man) have announced a joint policy commitme...

Contributors: Alison MacKrill, Caren Pegg
4 Jun 2019 |

Trusts: Lessons from Dickens but a modern story

Trusts to benefit beneficiaries are established for many reasons but generally are a way of protecti...

1 Jun 2019 |

A Substantial Undertaking: Thoughts for Trustees

Relevant jurisdictions were required to address the EU Code of Conduct Group’s concerns about ‘e...