By the time this article goes to press, Guernsey will (hopefully) have published the its new draft Data Protection Law and are set to formally debate it in October, with Jersey to follow soon after. This should then mean there is a fresh drive towards implementation in many businesses ahead of the new law coming into force in May 2018, as we will then know how it will operate locally, rather than attempting to second guess based on what people in the UK are doing.

One of the key changes to the existing regime is going to be a much stricter definition of consent, which will require consent to be:

Clearly demonstrable – There must be an audit trail to show consent has actually been given.

Freely given – The data subjects must be able to refuse consent without detriment and/or there must not be a clear imbalance of bargaining power with the controller. In addition, it is unlikely to be acceptable if the performance of a contract (including the provision of a service) is made conditional upon the consent, which is not necessary for the performance.

Able to be withdrawn – The individual must be informed of their right to withdraw consent in advance, and the process for withdrawal must be as easy as that for giving consent.

Clearly distinguishable, intelligible and in clear and plain language – This is an additional requirement where consent is given in the contest of other matters, as will often be the case. For anyone who has actually read the GDPR which has 173 recitals of largely unintelligible legal jargon before the operative provisions even begin, the final requirement that consent should be in plain language is just a little ironic.

What does this mean in practice? Well for a start existing consents will need to be reviewed to understand if they remain valid. In the context of financial and professional services many businesses currently rely on the data protection clauses within their terms and conditions of business as the basis upon which consent has been given. However, for example, where that information is held on a marketing database, it is questionable now whether that would be considered “freely given” unless there is some other evidence of consent. Even more fundamentally, often the party signing the terms and conditions, and the individual on which you hold personal data are not even the same person, meaning that even under the current law you would not have valid consent.

The consequence of this new tighter approach on consent is that it will force businesses to consider whether there is a more appropriate basis on which personal data can be processed, such as the “legitimate interests” condition. Whilst this is certainly not a carte blanche to do whatever you want as it requires an assessment to be made considering the competing interests of those involved and information should be provided in the form of privacy notices, it will be the solution many turn to. For those that do, the key will be transparency and having in place good policies and procedures as to how assessments will be made. This process will without a doubt require an amount of effort for all businesses; in the long term this should be viewed as an investment. If you have any doubt how important the topic of data protection and security is, just ask Mossack Fonseca how their business is doing …

Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

7 Sep 2022

ESG Series Part 1: Climate Change – What on Earth is going on?

‘ESG’ has well and truly arrived, and has triggered a new age in business and financial investme...

7 Jun 2022

New Regulations and Requirements for Local Charities

The Charities etc. (Guernsey and Alderney) Ordinance, 2021 (Ordinance) and the raft of regulations t...

Contributors: Lisa Upham
20 May 2022

Lasting Powers of Attorney

The long-awaited Capacity (Lasting Powers of Attorney) (Bailiwick of Guernsey) Ordinance, 2022 (LPA ...

23 Feb 2022

Anonymisation of decisions: an invitation to consider this more but the unscrupulous need not apply!

The adage that ‘justice must not only be done, but must also be seen to be done” derives from a ...

7 Dec 2021

Notaries, E-Apostilles and Technological Changes

Notaries form the oldest branch of the legal profession. Their origins can be traced back to the Ro...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

5 Oct 2021

Notaries: Are Simple Certifications a Thing Anymore?

Notaries are primarily concerned with the authentication and certification of signatures, authority ...

30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...