By the time this article goes to press, Guernsey will (hopefully) have published the its new draft Data Protection Law and are set to formally debate it in October, with Jersey to follow soon after. This should then mean there is a fresh drive towards implementation in many businesses ahead of the new law coming into force in May 2018, as we will then know how it will operate locally, rather than attempting to second guess based on what people in the UK are doing.

One of the key changes to the existing regime is going to be a much stricter definition of consent, which will require consent to be:

Clearly demonstrable – There must be an audit trail to show consent has actually been given.

Freely given – The data subjects must be able to refuse consent without detriment and/or there must not be a clear imbalance of bargaining power with the controller. In addition, it is unlikely to be acceptable if the performance of a contract (including the provision of a service) is made conditional upon the consent, which is not necessary for the performance.

Able to be withdrawn – The individual must be informed of their right to withdraw consent in advance, and the process for withdrawal must be as easy as that for giving consent.

Clearly distinguishable, intelligible and in clear and plain language – This is an additional requirement where consent is given in the contest of other matters, as will often be the case. For anyone who has actually read the GDPR which has 173 recitals of largely unintelligible legal jargon before the operative provisions even begin, the final requirement that consent should be in plain language is just a little ironic.

What does this mean in practice? Well for a start existing consents will need to be reviewed to understand if they remain valid. In the context of financial and professional services many businesses currently rely on the data protection clauses within their terms and conditions of business as the basis upon which consent has been given. However, for example, where that information is held on a marketing database, it is questionable now whether that would be considered “freely given” unless there is some other evidence of consent. Even more fundamentally, often the party signing the terms and conditions, and the individual on which you hold personal data are not even the same person, meaning that even under the current law you would not have valid consent.

The consequence of this new tighter approach on consent is that it will force businesses to consider whether there is a more appropriate basis on which personal data can be processed, such as the “legitimate interests” condition. Whilst this is certainly not a carte blanche to do whatever you want as it requires an assessment to be made considering the competing interests of those involved and information should be provided in the form of privacy notices, it will be the solution many turn to. For those that do, the key will be transparency and having in place good policies and procedures as to how assessments will be made. This process will without a doubt require an amount of effort for all businesses; in the long term this should be viewed as an investment. If you have any doubt how important the topic of data protection and security is, just ask Mossack Fonseca how their business is doing …

Twitter LinkedIn Email Save as PDF
More Publications
30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
20 May 2021 |

The Gender Pay Gap Debate – a response to comments on social media

As a lawyer the majority of articles we write are about a particular case or a legal issue – which...

4 May 2021 |

New Private Investment Funds in Guernsey

In December 2020, the Guernsey Financial Services Commission (Commission) published a consultation p...

Contributors: Oratile Jonas
16 Mar 2021 |

Guernsey Structures - The Cannabis Investment Conundrum

Jurisdictions around the world have adopted different positions in relation to the legality of the c...

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

23 Feb 2021 |

Fit and Proper in the Channel Islands – A Regulatory Enforcement Update

It is sometimes easy to forget with all that has happened over the last 12 months that there was a w...

27 Jan 2021 |

Levies, registration and all that jazz

Regulatory markets evolve at various speeds and the data protection regime is one example of a marke...

6 Jan 2021 |

Executors navigating the “perfect (company) storm”

Corporate governance has become one of the most hotly debated topics in recent years. Whether it be ...

Contributors: Paula Fry